So i ended up raising a ticket with Palo Alto support and they helped with this (seriously impressed with their support!). It turns out that other post was a big hint - https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/azure-no-arp/td-p/259088 In the reference architecture guide (https://www.paloaltonetworks.com/resources/guides/azure-architecture-guide), on page 29 it says: "By default, when a firewall interface obtains a default gateway from DHCP, it installs a default route. To ensure proper traffic flow, you should modify the firewall configuration so that default routes are static and not obtained through DHCP. To allow the firewall to reach virtual machines and services within the VNet, set up static routes to the VNet internal networks on the firewall’s private interface. Even though Azure networking does not use traditional forwarding, you still configure the route’s next hop as if the network has a default gateway. Azure reserves the first address in the subnet (example: .1 in a /24) as the subnet’s default router address." So all i needed to do was update my virtual routes to point to .1 of the interface subnet. In a subnet, Azure reserves the first 5 IP addresses for themselves. It seems that .1 is the gateway address for the subnet. Regarding the outbound internet access, i was pretty close.... On the reference architecture guide, on page 32 it states: "For virtual machines behind the firewall to communicate to devices on the internet, the firewall must translate the source IP address of the outbound traffic to an IP address on the public subnet. Azure then translates the source IP address again as the outbound traffic leaves the VNet. When you associate a public IP address with an internal IP address used in the NAT policy, Azure translates the outbound traffic to the public IP address" So what i did was create a Public IP, associate it to my public NIC. Then on PA, i switched to static IP allocation for the public interface. I manually added 10.110.2.4 and the public IP address. Then on my NAT rules, i added Dynamic Host and Port, changed to interface, selected ethernet1/1 and put the 10.110.2.4 address (not the public address) and i then got the outbound working. Im seriously impressed with the Palo Alto support. 2/3 hours after i raised the ticket, i was on a zoom call and my problems were resolved. So the answer was in the documentation all along - who'd have guessed!
... View more