topic Re: Request for SD-WAN Deployment Documentation in Azure in Advanced SD-WAN for NGFW Discussions

Request for SD-WAN Deployment Documentation in Azure

kganesh — Tue, 21 Apr 2026 16:04:48 GMT

I need to integrate the Palo Alto firewalls deployed in Azure into our existing SD-WAN setup. Currently, seven offices are already connected through SD-WAN. The Azure VM‑500 firewalls are configured in an active‑passive setup and are managed via Panorama.
It would be very helpful if you could share any SD-WAN deployment documentation or reference material to guide this integration.

Re: Request for SD-WAN Deployment Documentation in Azure

lucy98dana — Mon, 27 Apr 2026 06:07:18 GMT

At a high level, the recommended approach is to treat Azure as another SD-WAN site (or hub) rather than just a standalone security zone. You can terminate SD-WAN tunnels (IPsec or GRE/IPsec depending on your vendor) directly on the VM-500 firewalls. Each of your seven branch offices would then establish tunnels to the Azure firewalls, allowing centralized inspection and routing. If your SD-WAN solution supports dynamic path selection, you can integrate Azure as an additional path and apply policies for traffic steering (e.g., SaaS via internet breakout, internal apps via Azure).

Re: Request for SD-WAN Deployment Documentation in Azure

kiwi — Tue, 28 Apr 2026 13:58:24 GMT

Hi @kganesh ,

On-prem firewalls use Gratuitous ARP (GARP) to handle failover, but Azure doesn't support GARP afaik.

Treat Azure as your "Hub." You’ll terminate your SD-WAN tunnels on an Azure Standard Load Balancer (ALB) front-end IP rather than the firewalls directly.
Health Probes: The ALB uses health probes to monitor the VM-500s. It only sends SD-WAN traffic to whichever unit is currently "Active," ensuring your branch offices always stay connected to the right gateway.

Since you’re already using Panorama, do not manually build these IPsec tunnels one by one.

The Plugin: Install the SD-WAN Plugin for Panorama.
The Workflow: Define your Azure VM-500s as a "Hub" and your seven offices as "Branches". Panorama will then automate the entire mess of IKE gateways, IPsec profiles, and BGP peering across the whole environment.

For a setup with seven offices, static routes will eventually break your brain so :

Use BGP to propagate routes between Azure and your offices.
If you want to avoid managing dozens of User-Defined Routes (UDRs) in Azure, look into Azure Route Server (ARS). It allows your firewalls to "talk" directly to the Azure VNet, automatically updating the routing table whenever a new branch subnet is added.

Some reference links:

Palo Alto SD-WAN Admin Guide: Specifically the Enable SD-WAN with Auto VPN section.
Azure Architecture Center: The Highly Available NVA Guide explains why you need that Load Balancer.
Panorama Plugin Setup: How to install and configure the SD-WAN plugin.

Hope this helps,

Re: Request for SD-WAN Deployment Documentation in Azure

kganesh — Wed, 13 May 2026 03:00:40 GMT

Hi kiwi ,

Thanks for the sharing detail information, however ,the current SD-WAN deployment is configured in a full mesh topology (not hub-and-branch). We now need to onboard an Azure VM-Series (VM-500) firewall into the existing SD-WAN setup as a new branch.

To achieve this, I am planning to use the public IP assigned to the untrust interface on the Azure firewall for establishing Auto VPN/IPsec tunnels with the other branch offices.

Please let me know if this approach looks good or if you have any recommendations.

Re: Request for SD-WAN Deployment Documentation in Azure

balford_78 — Mon, 25 May 2026 16:28:18 GMT

I have a similar setup - I have multiple HUB's for my Data Centers and I setup my Azure Firewalls in a HA Active/Passive pair. The Azure pair is setup as another branch site. The setup for my untrust interface is both firewalls are configured in Panorama with a /32 - while a secondary address is configured with the SM of the size of your subnet. There is some other configuration needed in Panorama for the Azure Plugin that will launch an API that will failover the secondary IP address to the standby address upon HA failover. *NOTE: The issue I have run into is this failover design takes approximately 4 minutes to run until the secondary interface is active on the failed over unit. Don't forget about your NSG and Routes are important to configure in the Azure side to ensure you aren't blocking traffic at the Azure level. This guide discussed this setup and I do have it working in my production. I am tempted to LAB out the Azure Front End Load Balancer though to see if this would solve the 4 minute failover time. As discussed by others BGP is the easiest way and the autovpn will connect to all "mesh" sites automatically and share the BGP routes with minimal work.

This document is what I followed to configure my setup for a full mesh.

Set up Active/Passive HA on Azure