article Cloud NGFW for Azure - Forced Tunneling in Cloud NGFW for Azure Articles https://live.paloaltonetworks.com/t5/cloud-ngfw-for-azure-articles/cloud-ngfw-for-azure-forced-tunneling/ta-p/1256484 <DIV class="lia-message-template-content-zone"> <H1><STRONG>Cloud NGFW for Azure</STRONG></H1> <P>&nbsp;</P> <P><SPAN>Cloud NGFW automatically provides source NAT (SNAT) for all outbound traffic to public IP addresses you associate with it. Cloud NGFW doesn’t SNAT when the destination IP address is a private IP address range per IANA RFC 1918.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="cloud ngfw.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/71798i91D7645856622C08/image-size/large?v=v2&amp;px=999" role="button" title="cloud ngfw.png" alt="cloud ngfw.png" /></span></SPAN></P> <P>&nbsp;</P> <P><SPAN>By default, outbound internet traffic will be handled by Cloud NGFW, as mentioned below</SPAN></P> <OL> <LI style="font-weight: 400;" aria-level="1"><SPAN>The host machine in the Spoke VNet initiates traffic.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>To route the traffic through Cloud NGFW, create a route table associated with the host subnet part of Spoke VNET. Add a route with the next-hop set to the Cloud NGFW's Private IP address.&nbsp;</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>After the inspection, the cloud NGFW forwards the traffic through the Public Subnet. Cloud NGFW also performs SNAT using its Public IP address before sending out the traffic onto the internet.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Response traffic will follow the same reverse path.</SPAN></LI> </OL> <P><BR /><BR /></P> <H3><STRONG>Forced Tunneling&nbsp;</STRONG></H3> <P>&nbsp;</P> <P><SPAN>You can configure Forced Tunneling on Cloud NGFW to route all Internet-bound traffic to a designated next hop instead of sending it directly to the Internet.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Forced tunneling enables your Cloud NGFW to inspect and then redirect (a.k.a force-tunnel)&nbsp; all internet-bound traffic from Cloud NGFW to your on-premises firewall or to chain it to a nearby network virtual appliance (NVA) for additional inspection</SPAN><SPAN>.</SPAN> <SPAN>. </SPAN><SPAN>This is typically done to enforce additional security policies on your on-premises firewall or to use the on-premises public IP address for Source Network Address Translation (SNAT), thereby avoiding exposure of the Cloud NGFW's public IP address.</SPAN></P> <P>&nbsp;</P> <P><SPAN>There are two primary architectures for forced tunneling:</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <UL> <LI style="font-weight: 400;" aria-level="1"><STRONG>Forced Tunneling through the Public Subnet</STRONG><SPAN> (with SNAT performed by Cloud NGFW)</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Forced Tunneling through the Private Subnet</STRONG><SPAN> (no SNAT performed by Cloud NGFW)</SPAN></LI> <LI aria-level="1"><STRONG>Forced Tunneling through Azure Virtual WAN</STRONG></LI> </UL> <P>&nbsp;</P> <H3><STRONG>1. Forced Tunneling Through the Public Subnet (Cloud NGFW SNAT)</STRONG></H3> <P>&nbsp;</P> <P><SPAN>This architecture is for customers who want to control traffic based on </SPAN><STRONG>trust (Private)</STRONG><SPAN> and </SPAN><STRONG>untrust (Public)</STRONG><SPAN> zones on the Cloud NGFW. In this deployment, the Cloud NGFW will perform </SPAN><STRONG>SNAT</STRONG><SPAN> on the traffic before forwarding it.</SPAN></P> <P>&nbsp;</P> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="public subnet.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/71799iF52D10819AD39EBC/image-size/large?v=v2&amp;px=999" role="button" title="public subnet.png" alt="public subnet.png" /></span></SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <BR /> <H4><STRONG><span class="lia-unicode-emoji" title=":gear:">βš™οΈ</span> Configuration Summary</STRONG></H4> <TABLE> <TBODY> <TR> <TD> <P><STRONG>Component</STRONG></P> </TD> <TD> <P><STRONG>Action</STRONG></P> </TD> <TD> <P><STRONG>Details</STRONG></P> </TD> </TR> <TR> <TD> <P><STRONG>Spoke VNet Route Table</STRONG></P> </TD> <TD> <P><SPAN>Add Route</SPAN></P> </TD> <TD> <P><SPAN>Destination: </SPAN><STRONG>0.0.0.0/0</STRONG><SPAN> (Internet)</SPAN></P> <BR /> <P><SPAN>Next Hop: </SPAN><STRONG>Cloud NGFW Private IP address</STRONG></P> </TD> </TR> <TR> <TD> <P><STRONG>Cloud NGFW Public Subnet Route Table</STRONG></P> </TD> <TD> <P><SPAN>Create and Associate</SPAN></P> </TD> <TD> <P><SPAN>Add Route: Destination: </SPAN><STRONG>0.0.0.0/0</STRONG><SPAN> (Internet)</SPAN></P> <BR /> <P><SPAN>Next Hop: </SPAN><STRONG>VNET Gateway</STRONG></P> </TD> </TR> </TBODY> </TABLE> <H4>&nbsp;</H4> <H4><STRONG><span class="lia-unicode-emoji" title=":globe_with_meridians:">🌐</span> Traffic Flow Sequence</STRONG></H4> <P>&nbsp;</P> <OL> <LI style="font-weight: 400;" aria-level="1"><SPAN>Traffic is initiated by the host machine part of the Spoke VNet.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>The traffic is routed to the </SPAN><STRONG>Cloud NGFW Private IP address</STRONG><SPAN> for inspection (via the Spoke VNet's route table).</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Post inspection, Cloud NGFW attempts to forward the internet traffic through the </SPAN><STRONG>Public Subnet</STRONG><SPAN>.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Cloud NGFW performs </SPAN><STRONG>SNAT</STRONG><SPAN> on the internet traffic using an IP address from its Public Subnet.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>The Public Subnet's associated route table forces this traffic to the </SPAN><STRONG>VNET Gateway</STRONG><SPAN>.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>The VNET Gateway sends the traffic over the Site-to-Site VPN to the </SPAN><STRONG>on-premises Firewall</STRONG><SPAN>.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>The on-premises firewall enforces security policies and forwards the traffic to the internet.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Response traffic follows the same reverse path.</SPAN></LI> </OL> <H3>&nbsp;</H3> <H3><STRONG>2. Forced Tunneling Through the Private Subnet (No Cloud NGFW SNAT)</STRONG></H3> <P>&nbsp;</P> <P><SPAN>This architecture is intended for customers who require </SPAN><STRONG>visibility of the actual source IP address</STRONG><SPAN> from which the traffic was initiated at the On-Premise Firewall. In this deployment, the Cloud NGFW will </SPAN><STRONG>not perform NAT</STRONG><SPAN>.</SPAN></P> <P>&nbsp;</P> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="private subnet.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/71800i024FDF61FF206F09/image-size/large?v=v2&amp;px=999" role="button" title="private subnet.png" alt="private subnet.png" /></span></SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <BR /> <H4><STRONG><span class="lia-unicode-emoji" title=":gear:">βš™οΈ</span> Configuration Summary</STRONG></H4> <TABLE> <TBODY> <TR> <TD> <P><STRONG>Component</STRONG></P> </TD> <TD> <P><STRONG>Action</STRONG></P> </TD> <TD> <P><STRONG>Details</STRONG></P> </TD> </TR> <TR> <TD> <P><STRONG>Spoke VNet Route Table</STRONG></P> </TD> <TD> <P><SPAN>Add Route</SPAN></P> </TD> <TD> <P><SPAN>Destination: </SPAN><STRONG>0.0.0.0/0</STRONG><SPAN> (Internet)</SPAN></P> <BR /> <P><SPAN>Next Hop: </SPAN><STRONG>Cloud NGFW Private IP address</STRONG></P> </TD> </TR> <TR> <TD> <P><STRONG>Cloud NGFW Private Subnet Route Table</STRONG></P> </TD> <TD> <P><SPAN>Create and Associate</SPAN></P> </TD> <TD> <P><SPAN>Add Route: Destination: </SPAN><STRONG>0.0.0.0/0</STRONG><SPAN> (Internet)</SPAN></P> <BR /> <P><SPAN>Next Hop: </SPAN><STRONG>VNET Gateway</STRONG></P> </TD> </TR> <TR> <TD> <P><STRONG>Cloud NGFW Networking &amp; NAT Settings</STRONG></P> </TD> <TD> <P><SPAN>Configure</SPAN></P> </TD> <TD> <P><SPAN>Set </SPAN><STRONG>Additional Prefixes to Private Traffic Range</STRONG><SPAN> to </SPAN><STRONG>0.0.0.0/1,128.0.0.0/1</STRONG></P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P><STRONG>Note:</STRONG><SPAN> The "Additional Prefixes" configuration is crucial. It causes the Cloud NGFW to consider internet traffic as </SPAN><STRONG>Private Traffic</STRONG><SPAN>. This prevents the traffic from being forwarded towards the Public Subnet and ensures it is sent out using the Private Subnet itself without performing any NAT.</SPAN></P> <P>&nbsp;</P> <H4><STRONG><span class="lia-unicode-emoji" title=":globe_with_meridians:">🌐</span> Traffic Flow Sequence</STRONG></H4> <OL> <LI style="font-weight: 400;" aria-level="1"><SPAN>Traffic is initiated by the host machine part of the Spoke VNet.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>The traffic is routed to the </SPAN><STRONG>Cloud NGFW Private IP address</STRONG><SPAN> for inspection (via the Spoke VNet's route table).</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>The Cloud NGFW attempts to forward the internet traffic through the Public Subnet.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Due to the route table associated with the </SPAN><STRONG>Private Subnet</STRONG><SPAN> and the "Additional Prefixes" configuration, the traffic is sent out using the </SPAN><STRONG>Private Subnet</STRONG><SPAN> and is forced to the </SPAN><STRONG>VNET Gateway</STRONG><SPAN>.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>This traffic is sent without performing any NAT.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>The VNET Gateway sends the traffic over the Site-to-Site VPN to the </SPAN><STRONG>on-premises Firewall</STRONG><SPAN>.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>The on-premises firewall enforces security policies and forwards the traffic to the internet.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Response traffic will follow the same reverse path.</SPAN></LI> </OL> <BR /><BR /> <H3><STRONG>3. Forced Tunneling through Azure Virtual WAN</STRONG></H3> <P><SPAN>Virtual WAN routing intent allows you to send both private and Internet traffic to Cloud NGFW deployed in the Virtual WAN hub.</SPAN></P> <P><SPAN>While you can break out internet traffic directly through Cloud NGFW, Force Tunneling feature in Azure Virtual WAN enables a new routing capability that allows customers</SPAN></P> <P><SPAN>to inspect internet traffic first via a security solution deployed directly in the hub(Cloud NGFW), then forward it to an on-premises or NVA deployed in a spoke VNET connected to Virtual</SPAN></P> <P><SPAN>WAN for another layer of inspection and breakout.</SPAN></P> <BR /> <P><SPAN>Architecture below demonstrates Force Tunneling via NVA deployed in a Spoke VNET connected to Virtual WAN</SPAN></P> <P>&nbsp;</P> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="azure virtual wan.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/71802iFF4C28C2B277F7AB/image-size/large?v=v2&amp;px=999" role="button" title="azure virtual wan.png" alt="azure virtual wan.png" /></span></SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <BR /> <H4><STRONG><span class="lia-unicode-emoji" title=":gear:">βš™οΈ</span> Configuration Summary</STRONG></H4> <TABLE> <TBODY> <TR> <TD> <P><STRONG>Component</STRONG></P> </TD> <TD> <P><STRONG>Action</STRONG></P> </TD> <TD> <P><STRONG>Details</STRONG></P> </TD> </TR> <TR> <TD> <P><STRONG>Routing Intent and Routing Policies</STRONG></P> </TD> <TD> <P><SPAN>Private Traffic &gt; SaaS Solution</SPAN></P> </TD> <TD> <P><SPAN>Next Hop: </SPAN><STRONG>Cloud NGFW</STRONG></P> </TD> </TR> <TR> <TD>&nbsp;</TD> <TD>&nbsp;</TD> <TD> <P><SPAN>Additional Prefixes : </SPAN><STRONG>0.0.0.0/0</STRONG><SPAN> (Internet) - This is to Force Tunnel Internet traffic</SPAN></P> </TD> </TR> <TR> <TD>&nbsp;</TD> <TD> <P><SPAN>Internet Traffic &gt; None</SPAN></P> </TD> <TD>&nbsp;</TD> </TR> <TR> <TD> <P><STRONG>Virtual Network Connections</STRONG></P> </TD> <TD> <P><SPAN>Configure</SPAN></P> </TD> <TD> <P><SPAN>Add </SPAN><STRONG>Static route</STRONG><SPAN> to internet(0.0.0.0/0) with next hop as Spoke NVA Firewall.</SPAN></P> <P><SPAN>Disable </SPAN><STRONG>Propagate Default Route</STRONG></P> </TD> </TR> <TR> <TD> <P><STRONG>Cloud NGFW Networking &amp; NAT Settings</STRONG></P> </TD> <TD> <P><SPAN>Configure</SPAN></P> </TD> <TD> <P><SPAN>Set </SPAN><STRONG>Additional Prefixes to Private Traffic Range</STRONG><SPAN> to </SPAN><STRONG>0.0.0.0/1,128.0.0.0/1</STRONG></P> </TD> </TR> </TBODY> </TABLE> <BR /> <H4><STRONG><span class="lia-unicode-emoji" title=":globe_with_meridians:">🌐</span> Traffic Flow Sequence</STRONG></H4> <OL> <LI style="font-weight: 400;" aria-level="1"><SPAN>Traffic is initiated by the host machine part of the App VNet.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>The traffic is routed to Virtual WAN and Routing Intent within VWAN Hub will forward the traffic to Cloud NGFW for inspection.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>The Cloud NGFW after inspection will route the traffic towards Spoke Virtual Network Connection.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Because of the Static Default route within Virtual Network Connection, this traffic will be routed towards NVA Firewall with in the Spoke VNET</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>The Spoke NVA Firewall after additional inspection will send the traffic onto the internet using its Public IP address and NAT.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Response traffic will follow the reverse path.</SPAN></LI> </OL> <BR /> <P><SPAN>Architecture below demonstrates Force Tunneling through On-Prem Firewall connected to Virtual WAN over Site to Site VPN</SPAN></P> <P>&nbsp;</P> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="site to site vpn.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/71803iBAE799FCAABE5826/image-size/large?v=v2&amp;px=999" role="button" title="site to site vpn.png" alt="site to site vpn.png" /></span></SPAN></P> <P>&nbsp;</P> <P><LI-WRAPPER></LI-WRAPPER></P> <BR /> <H4><STRONG><span class="lia-unicode-emoji" title=":gear:">βš™οΈ</span> Configuration Summary</STRONG></H4> <TABLE> <TBODY> <TR> <TD> <P><STRONG>Component</STRONG></P> </TD> <TD> <P><STRONG>Action</STRONG></P> </TD> <TD> <P><STRONG>Details</STRONG></P> </TD> </TR> <TR> <TD> <P><STRONG>Routing Intent and Routing Policies</STRONG></P> </TD> <TD> <P><SPAN>Private Traffic &gt; SaaS Solution</SPAN></P> </TD> <TD> <P><SPAN>Next Hop: </SPAN><STRONG>Cloud NGFW</STRONG></P> </TD> </TR> <TR> <TD>&nbsp;</TD> <TD>&nbsp;</TD> <TD> <P><SPAN>Additional Prefixes : </SPAN><STRONG>0.0.0.0/0</STRONG><SPAN> (Internet) - This is to Force Tunnel Internet traffic</SPAN></P> </TD> </TR> <TR> <TD>&nbsp;</TD> <TD> <P><SPAN>Internet Traffic &gt; None</SPAN></P> </TD> <TD>&nbsp;</TD> </TR> <TR> <TD> <P><STRONG>Site-to-Site VPN</STRONG></P> </TD> <TD> <P><SPAN>Configure</SPAN></P> </TD> <TD> <P><SPAN>Add Site-to-Site VPN with VWAN Hub VPN Gateway from On-Prem Firewall.</SPAN></P> <P><SPAN>On-Prem Advertises Default route Over VPN</SPAN></P> </TD> </TR> <TR> <TD> <P><STRONG>Cloud NGFW Networking &amp; NAT Settings</STRONG></P> </TD> <TD> <P><SPAN>Configure</SPAN></P> </TD> <TD> <P><SPAN>Set </SPAN><STRONG>Additional Prefixes to Private Traffic Range</STRONG><SPAN> to </SPAN><STRONG>0.0.0.0/1,128.0.0.0/1</STRONG></P> </TD> </TR> </TBODY> </TABLE> <BR /> <H4><STRONG><span class="lia-unicode-emoji" title=":globe_with_meridians:">🌐</span> Traffic Flow Sequence</STRONG></H4> <OL> <LI style="font-weight: 400;" aria-level="1"><SPAN>Traffic is initiated by the host machine part of the App VNet.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>The traffic is routed to Virtual WAN and Routing Intent within VWAN Hub will forward the traffic to Cloud NGFW for inspection.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>The Cloud NGFW after inspection will route the traffic towards VPN Gateway as there is a default route learnt over the VPN Tunnel from On-Prem Firewall.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Internet traffic from the VPN Gateway will sent over the VPN tunnel towards on-prem Firewall</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>On-Prem Firewall after additional inspection will send the traffic onto the internet using its Public IP address and NAT.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Response traffic will follow the reverse path.</SPAN></LI> </OL> <BR /> <P>&nbsp;</P> </DIV> Tue, 16 Jun 2026 12:45:22 GMT rpegada 2026-06-16T12:45:22Z Cloud NGFW for Azure - Forced Tunneling https://live.paloaltonetworks.com/t5/cloud-ngfw-for-azure-articles/cloud-ngfw-for-azure-forced-tunneling/ta-p/1256484 <P>This technical guide explores how to successfully implement forced tunneling architectures across your Azure environment. Whether you need to maintain complete visibility of the original source IP through a private subnet or route inspected traffic seamlessly across Azure Virtual WAN, you will find the precise route table configurations, configuration summaries, and traffic flow sequences needed to establish secure, multi-layered inspection paths.</P> Tue, 16 Jun 2026 12:45:22 GMT https://live.paloaltonetworks.com/t5/cloud-ngfw-for-azure-articles/cloud-ngfw-for-azure-forced-tunneling/ta-p/1256484 rpegada 2026-06-16T12:45:22Z