04-02-2025 11:25 PM
I've been checking the official Azure deployment guide, section Deploying Outbound and East-West Security.
https://www.paloaltonetworks.com/resources/guides/azure-transit-vnet-deployment-guide
What I don't understand why SNAT is not required for E/W traffic while it is required for inbound traffic.
What makes LB use the same FW for return traffic in E/W scenario but not for inbound connections?
04-03-2025 01:37 AM
Ok, maybe I found the answer to this; for E/W you use internal load balancing where you have "HA ports" option in LB rule which enables LB for all traffic and causes internal LB to do load balancing per flow (instead of per packet I guess).
High availability ports overview definition by MS:
"Azure Standard Load Balancer helps you load-balance all protocol flows on all ports simultaneously when you're using an internal load balancer via HA Ports.
High availability (HA) ports are a type of load balancing rule that provides an easy way to load-balance all flows that arrive on all ports of an internal standard load balancer. The load-balancing decision is made per flow. This action is based on the following five-tuple connection: source IP address, source port, destination IP address, destination port, and protocol"
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
