Palo Alto with Azure Application Gateway Architecture Differs from Microsofts?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Palo Alto with Azure Application Gateway Architecture Differs from Microsofts?

L1 Bithead

The palo alto architecture for using app gateway in front of your firewall seems to different from Microsoft.  Palo wants you to set your backend pools of appgateway to the frontend of the palo (public ip side) and then use NAT to translate, This has downsides because you have to use a bunch of different ports as you only have one front end IP on the palo....

 

but with microsoft's model they actually set the app gateway backend pools to the actual workload and then just route through the firewall....my question is why wouldn't or couldn't you do the same with the palo?

 

MS Ref (app gateway in front of firewall): Firewall, App Gateway for virtual networks - Azure Example Scenarios | Microsoft Learn

Palo Ref:Securing Application in Azure Reference Architeccture Guide (paloaltonetworks.com)

6 REPLIES 6

Hi @JWhites ,

The link you have provided is describing setup in which you use the native Azure Firewall. That is completely different from using Palo Alto FW in Azure.

 

If you want to use Palo FW, in simple terms Azure will consider it as simple VM. So you will need to find a way to put this VM in the path of the traffic. Azure doesn't allow you to just put a VM in the path between the AppGW and backend pool. Azure Firewall is not simple VM, but native component  that is why you can do it this way.

 

I would strongly recommend you to consider Deploy the VM-Series with the Azure Gateway Load Balancer (paloaltonetworks.com)

Gateway Load Balancer is complete game changes especially for inbound traffic and I am surprise they still haven't included it in the Deployment and Reference Architecture Guide.

 

Using Palo as backend pool member of our AppGW was the only way before, but more modern way will be to use GWLB.

 

Here are some more materials about Palo FW and Azure GWLB

https://www.paloaltonetworks.com/blog/network-security/vm-series-azure-gateway-load-balancer/

 

https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/videos-for-aws-gwlb-and-azure-gwl...

 

 

 

Thank you for the materials.  I will look at them.

 

Yes I understand that azure firewall is different from palo alto, but you can definitely send traffic right through the palo using UDR which is what they are doing in the MS architecture.  I'm asking why would you not try to achieve the same with the palo (just as you do outbound traffic?)

Also can you share an example of where the application gateway would fit into this gateway load balancer architecture? What does it offer than floating IP from the standard load balancer does not?

I'm guessing this architecture isn't really compatabile if you're using one set of Palos to manage both North/South and east/west traffic?  Gateway load balancer is only useful for public IP, or load balancer with public IP but not directing vnets, or allowing outbound access from endpoints?

Hello, We are running into this same design constraint. Are you able to share what route you ended up going with this design.

Honestly the three options we are seeing is, route traffic through App GW only, Use Azure FD, or use Palo WAAS.

L0 Member

Actually I cannot imagine why this design wouldn't work with a Paloalto as well.

  • You always have the dedicated AppGW subnet.
  • This Subnet would get a UDR to send the internal traffic to the Standard LB that is in front of the Paloalto.
  • LB with HA port config would send it to the Firewall. 
  • Firewall would send it to the backend.
  • Backend would reply to LB (because of UDR).
  • LB to Firewall (LB somehow takes care of the traffic symmetry, just like it does for normal "spoke to spoke traffic")
  • Firewall to AppGW.

 

While it is true that the Azure Firewall is "not just a VM", I do believe that in the background it actually is >90% the same setup as with any 3rdParty NVA. They will use some pool of VMs, they are using some sort of LB(s) in front of it. That is why they also have the same limitations, for example for session timeout (which is the LB session timeout in fact). On Internet Inbound they also do SNAT to the FW interface IP so they probably also put a Public Standard LB in front of the pool of VMs, then put the FWs as backend and do SNAT and DNAT on the Firewalls.

 

So for me, Azure Firewall is just a managed service but there is no additional magic happening. The same is true for AWS Network Firewall by the way.

 

 

  • 6547 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!