topic Re: Azure VM-300 Firewall subinterfaces and multiple VNETs in Next-Generation Firewall Discussions

Azure VM-300 Firewall subinterfaces and multiple VNETs

ocejiasa — Thu, 10 Jul 2025 13:50:24 GMT

I am running a VM-300 series firewall in Azure. I currently have 4 interfaces on the device (management, HA, untrust and trust). In Azure I have 8 VNETs. I would like to send all VNET to VNET traffic to the firewall for inspection and policy application. Can I create sub-interfaces (one zone per sub interface) on the VM-300 to accomplish this? If not, what other options do I have?

Re: Azure VM-300 Firewall subinterfaces and multiple VNETs

BPry — Wed, 16 Jul 2025 21:50:24 GMT

@ocejiasa,

You can't use sub-interfaces for something like this in Azure. What a lot of deployments will do is simply have a single interface that acts as the "core" zone for all subnets in Azure. Then you'll create UDRs and apply them to all VNETs that are peered with the VNET the PAN is in. The UDRs will direct all traffic through the PAN across that zone and you can simply override the intrazone-default policy to deny and build out policies however you need it.