I am trying to look for a solution to an issue we have whereas we don't want to add routes from Azure (via ExpressRoute) to an on premise for public IP's for which Azure devices need to connect to via a Palo Alto firewall and across a VPN to a 3rd party.
At the moment we have configured an FQDN NAT on our Palo Alto firewalls (where the connection routes through) and currently our internal DNS is learning the name resolution externally so the connection kind of works for now but we need to add DNS zones and entries for where we are trying to connect to which will map the fqdn to the NAT address. Which will break connection.
I have had a look at DNS proxy and I don't think that will work as we don't want to configure the Azure hosts with the firewall IP address for DNS as that will break other things.
I suspect we are going to have to bite the bullet and allow the routing across from Azure unless there is a means of making external DNS work for this specific traffic.
If you only add the entries you need to your internal DNS, why or which connections will be broken by this?
If you only need a few entries, then NAT seems to me like a good solution - if everything is passing your firewall, then I think you don't even need to mess with static DNS entries for this.
... or I don't understand your issue correctly 😛
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!