I has successfully deployed the VM-200 series in our Azure subscription. Trying to figure out how to do the segregation of environments (QA/Dev/Prod/Stg).
Currently setup as Hub-and-spoke, the trust interface is connected to Core Subscription which will be use to setup, AD, Proxy, GW subnet and so on. The un-trust interface is associate with GW subnet that we already establish the s2s VPN tunnel.
What I cannot figure out is what is the best practice to setup the different environment using Palo Alto?
If we create additional subscription (or VNET), when doing VNET peering, it will consider as trust interface and inter-zone are allow by defaults.
Do we create multiple interface for each PROD/QA/DEV/STG environment? not too say we might have Special Project subscription(or VNET).
If anyone have any suggestion how we can create different environment using Palo Alto, will really appreciate.
I would take a look at the Palo Alto Azure Reference Architecture Guide.
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resour.... In short, you have to configure UDRs to get traffic over to the Palo Alto for inspection.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!