07-10-2025 06:50 AM
I am running a VM-300 series firewall in Azure. I currently have 4 interfaces on the device (management, HA, untrust and trust). In Azure I have 8 VNETs. I would like to send all VNET to VNET traffic to the firewall for inspection and policy application. Can I create sub-interfaces (one zone per sub interface) on the VM-300 to accomplish this? If not, what other options do I have?
07-16-2025 02:50 PM
You can't use sub-interfaces for something like this in Azure. What a lot of deployments will do is simply have a single interface that acts as the "core" zone for all subnets in Azure. Then you'll create UDRs and apply them to all VNETs that are peered with the VNET the PAN is in. The UDRs will direct all traffic through the PAN across that zone and you can simply override the intrazone-default policy to deny and build out policies however you need it.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
