Source and Destination NAT for PA-VM on Azure Cloud with VPN tunnel

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Source and Destination NAT for PA-VM on Azure Cloud with VPN tunnel

L0 Member

Hello everyone,


I am working on a project to deploy a Cluster of two Palo Alto VM's on Azure. While designing the solution with an internal and external Loadbalancer (you can see the picture in my post) i don't know if i need to configure Public IP address in both Firewall's external interfaces to handle a source NAT for internal resources and also a destination NAT or just put a public IP address in the external loadbalancer only.


We need VPN IPSEC tunnels in the external interfaces, Public IP adresses have to be configured directly on the Firewall in this case? if no (only in external loadbalancer), in the VPN configuration the Peer IP address should be the loadbalancer Public IP address ?


Thank you in advance,



Cyber Elite
Cyber Elite

You can enable NAT traversal and use internal IPs on the firewall, you can then use FQDN or userFQDN as local identification

the remote peer will need to use the load balancer public IP (or can even have dynamic)



Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

L1 Bithead

@reaper any documents which can help me in configuring ipsec vpn tunnels on these palo alto vm-series firewalls configured in HA (Active/Passive) in Azure. @louey11  any luck on this, were you able to configure IPSEC vpn tunnels?

  • 2 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!