In our reference architecture and companion deployment guide, we do not typically recommend terminating the VPNs on the Virtual Appliance running in Azure. This is b/c you will need to use SNAT to enforce return path routing through the proper firewall to prevent asymmetric routing as we cannot extend BGP from the firewalls to the Azure Route Table. Instead, you may consider terminating the VPN on the Azure VPN Gateway and use our backhaul routing design to force all traffic to and from the Gateway subnet through the firewall utilizing UDRs and the Load Balancer. https://www.paloaltonetworks.com/resources/reference-architectures/azure
... View more