Azure Palo Alto VM Setup - QA/Dev/Prod/Stg

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Azure Palo Alto VM Setup - QA/Dev/Prod/Stg

L1 Bithead



I has successfully deployed the VM-200 series in our Azure subscription. Trying to figure out how to do the segregation of environments (QA/Dev/Prod/Stg).


Currently setup as Hub-and-spoke, the trust interface is connected to Core Subscription which will be use to setup, AD, Proxy, GW subnet and so on. The un-trust interface is associate with GW subnet that we already establish the s2s VPN tunnel.


What I cannot figure out is what is the best practice to setup the different environment using Palo Alto?


If we create additional subscription (or VNET), when doing VNET peering, it will consider as trust interface and inter-zone are allow by defaults.


Do we create multiple interface for each PROD/QA/DEV/STG environment? not too say we might have Special Project subscription(or VNET). 


If anyone have any suggestion how we can create different environment using Palo Alto, will really appreciate.


L2 Linker

I would take a look at the Palo Alto Azure Reference Architecture Guide. In short, you have to configure UDRs to get traffic over to the Palo Alto for inspection.

Get out there and do great things!
  • 1 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!