https://live.paloaltonetworks.com/t5/cloud-ngfw-for-azure-articles/seamlessly-migrate-vnet-traffic-from-azure-firewall-to-palo-alto/ta-p/1255235 <DIV class="lia-message-template-content-zone"> <P><SPAN>This article explains how to migrate VNET traffic from being inspected by Azure Firewall to the Cloud NGFW by Palo Alto Networks without disrupting communications across production applications.<BR /><BR /></SPAN></P> <P><div class="video-embed-center video-embed"><iframe class="embedly-embed" src="https://cdn.embedly.com/widgets/media.html?src=https%3A%2F%2Fwww.youtube.com%2Fembed%2FV-odF_JGqSc%3Ffeature%3Doembed&amp;display_name=YouTube&amp;url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DV-odF_JGqSc&amp;image=https%3A%2F%2Fi.ytimg.com%2Fvi%2FV-odF_JGqSc%2Fhqdefault.jpg&amp;type=text%2Fhtml&amp;schema=youtube" width="200" height="112" scrolling="no" title="Production VNETs migration from Azure Firewall to Cloud NGFW." frameborder="0" allow="autoplay; fullscreen; encrypted-media; picture-in-picture" allowfullscreen="true"></iframe></div></P> <P><STRONG><BR />Problem Description:</STRONG><STRONG><BR /></STRONG><SPAN>As organizations expand their cloud infrastructure, security requirements inevitably become more sophisticated. While many enterprises initially implement native security services such as </SPAN><STRONG>Azure Firewall</STRONG><SPAN>, they often require the advanced threat prevention, comprehensive application visibility, and centralized management capabilities provided by Palo Alto Networks </SPAN><STRONG>Cloud NGFW for Azure</STRONG><SPAN>.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>In large-scale enterprise environments, immediate full-scale migrations are often impractical. When managing numerous production Virtual Networks (VNETs), attempting a comprehensive migration within a restricted timeframe presents a significant risk of prolonged service interruptions.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>Adopting a phased migration strategy is considered the industry standard; however, this approach necessitates addressing a critical technical challenge: the secure, concurrent operation of both firewall solutions while maintaining uninterrupted traffic flows.</SPAN></P> <P>&nbsp;</P> <H3><STRONG>The Challenge: The Asymmetric Routing&nbsp;</STRONG></H3> <P><SPAN>The primary obstacle during a phased migration is asymmetric routing. Consider this common scenario during a phased migration:</SPAN></P> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>VNET A User-Defined Routes (UDR) has been successfully updated with the next hop to be the Cloud NGFW.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>VNET B is still waiting in the migration queue and its UDR points to the legacy Azure Firewall.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Both firewalls live in their own designated subnets within a centralized Hub VNET.</SPAN></LI> </UL> <DIV id="tinyMceEditorvmehta19_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><SPAN>When an application in VNET A initiates a connection to a service in VNET B:</SPAN></P> <OL> <LI style="font-weight: 400;" aria-level="1"><SPAN>The Outbound Path: VNET A forwards the traffic to the CNGFW, based on its updated UDR. CNGFW inspects it and sends it onward to VNET B.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>The Return Path: VNET B receives the packet. When it replies, its legacy UDR dictates that the return traffic must go to the Azure Firewall.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Packet Drops: Azure Firewall receives the return packet but has no record of the initial handshake. Recognizing this as an invalid stateful connection, it drops the traffic. Communication breaks.</SPAN></LI> </OL> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2026-06-02 at 10.45.18 AM.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/71529iF6F22835A1A5E0AA/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot 2026-06-02 at 10.45.18 AM.png" alt="Screenshot 2026-06-02 at 10.45.18 AM.png" /></span></SPAN></P> <H3><STRONG>The Solution: Inter-Firewall Routing Co-existence</STRONG></H3> <P><SPAN>To prevent asymmetric routing, the firewalls must be explicitly instructed to hand off traffic to one another when communicating across the migration boundary. This is achieved by strategically updating the UDRs attached to the </SPAN><STRONG>Firewall Subnets </STRONG>themselves<SPAN> in tandem with Spoke VNET updates. By manipulating the next-hop routing logic inside the Hub, you ensure that both the forward and return paths traverse the exact same firewall.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>To make VNET A (on CNGFW) and VNET B (on Azure Firewall) talk seamlessly, apply the following workaround:</SPAN></P> <OL> <LI style="font-weight: 400;" aria-level="1"><SPAN>CNGFW Private Subnet UDR: Add a route targeting VNET B's IP space, specifying the next hop as the Azure Firewall Private IP.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Azure Firewall Subnet UDR: Add a route targeting VNET A's IP space, specifying the next hop as the Cloud NGFW Private IP.</SPAN></LI> </OL> <P><SPAN>With these rules in place, if Application VNET A talks to the Application in VNET B:</SPAN></P> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>VNET A sends traffic to CNGFW.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>CNGFW checks its local subnet UDR, sees the route for VNET B, and forwards the packet to Azure Firewall.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Azure Firewall evaluates the state, inspects it, and sends it to VNET B.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>The return path mirrors this logic in reverse, ensuring stateful symmetry is maintained across both appliances.</SPAN></LI> </UL> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="workaround.jpg" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/71530iFF46D3FB52777AF4/image-size/medium?v=v2&amp;px=400" role="button" title="workaround.jpg" alt="workaround.jpg" /></span></SPAN></P> <P><STRONG>Scaling to multiple VNETs: Operationalizing the Migration</STRONG></P> <P><SPAN>As each individual VNET's UDR is updated to have a next hop of the CNGFW, you must correspondingly update the UDRs of these firewalls. By utilizing phased routing approach, you ensure that regardless of where a VNET is in the migration pipeline, the firewalls know exactly how to hand off traffic to their counterpart for environments that haven't been cut over yet.</SPAN></P> <P>&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Vishal - Scale.jpeg" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/71531i3FCF6400D0C0B2CF/image-size/medium?v=v2&amp;px=400" role="button" title="Vishal - Scale.jpeg" alt="Vishal - Scale.jpeg" /></span></P> <P><STRONG>Important considerations:</STRONG></P> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>When planning this scaled approach, it is crucial to keep Azure's route table limits in mind. As detailed in</SPAN><A href="https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview#:~:text=Each%20subnet%20can%20have%20zero,contain%20up%20to%20400%20UDRs." target="_blank"> <SPAN>Microsoft's Virtual Network UDR overview</SPAN></A><SPAN>, each subnet can have zero or one route table associated with it, and a route table can contain up to 400 UDRs. Leverage route-summarization where possible to prevent sprawl of static routes and accidental misconfigurations.&nbsp;</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>If the CNGFW and Azure Firewall are deployed in different Hub VNets, then the above solution still applies, however ensure that VNet peering is enabled between these Hub VNets.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Simplify the translation of your legacy Azure Firewall rules by using the Cloud Firewall Policy Migration tool in Strata Cloud Manager to automatically discover, analyze, and import your existing policies. For more details, see TechDocs </SPAN><A href="https://docs.paloaltonetworks.com/cloud-ngfw-azure/administration/protect-traffic-with-cloud-ngfw-for-azure/cloud-ngfw-for-azure-strata-cloud-manager-policy-management/migrate-azure-firewall-policy-to-cloud-ngfw-azure" target="_blank"><SPAN>article</SPAN></A><SPAN> and Live Community </SPAN><A href="https://live.paloaltonetworks.com/t5/community-blogs/elevating-cloud-security-seamlessly-migrate-aws-amp-azure/ba-p/1251680" target="_blank"><SPAN>blog-post</SPAN></A><SPAN>.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Even though changing UDRs on Firewall subnets, doesn’t impact other traffic flows, as a best practice make these changes in maintenance window.&nbsp;</SPAN></LI> </UL> </DIV> Tue, 02 Jun 2026 17:55:44 GMT vmehta19 2026-06-02T17:55:44Z https://live.paloaltonetworks.com/t5/cloud-ngfw-for-azure-articles/seamlessly-migrate-vnet-traffic-from-azure-firewall-to-palo-alto/ta-p/1255235 <P><SPAN>This article explains how to migrate VNET traffic from being inspected by Azure Firewall to the Cloud NGFW by Palo Alto Networks without disrupting communications across production applications.</SPAN></P> Tue, 02 Jun 2026 17:55:44 GMT https://live.paloaltonetworks.com/t5/cloud-ngfw-for-azure-articles/seamlessly-migrate-vnet-traffic-from-azure-firewall-to-palo-alto/ta-p/1255235 vmehta19 2026-06-02T17:55:44Z