11-18-2022 02:01 PM
The palo alto architecture for using app gateway in front of your firewall seems to different from Microsoft. Palo wants you to set your backend pools of appgateway to the frontend of the palo (public ip side) and then use NAT to translate, This has downsides because you have to use a bunch of different ports as you only have one front end IP on the palo....
but with microsoft's model they actually set the app gateway backend pools to the actual workload and then just route through the firewall....my question is why wouldn't or couldn't you do the same with the palo?
MS Ref (app gateway in front of firewall): Firewall, App Gateway for virtual networks - Azure Example Scenarios | Microsoft Learn
Palo Ref:Securing Application in Azure Reference Architeccture Guide (paloaltonetworks.com)
11-27-2022 09:28 AM
Hi @JWhites ,
The link you have provided is describing setup in which you use the native Azure Firewall. That is completely different from using Palo Alto FW in Azure.
If you want to use Palo FW, in simple terms Azure will consider it as simple VM. So you will need to find a way to put this VM in the path of the traffic. Azure doesn't allow you to just put a VM in the path between the AppGW and backend pool. Azure Firewall is not simple VM, but native component that is why you can do it this way.
I would strongly recommend you to consider Deploy the VM-Series with the Azure Gateway Load Balancer (paloaltonetworks.com)
Gateway Load Balancer is complete game changes especially for inbound traffic and I am surprise they still haven't included it in the Deployment and Reference Architecture Guide.
Using Palo as backend pool member of our AppGW was the only way before, but more modern way will be to use GWLB.
Here are some more materials about Palo FW and Azure GWLB
https://www.paloaltonetworks.com/blog/network-security/vm-series-azure-gateway-load-balancer/
12-01-2022 06:00 AM
Thank you for the materials. I will look at them.
Yes I understand that azure firewall is different from palo alto, but you can definitely send traffic right through the palo using UDR which is what they are doing in the MS architecture. I'm asking why would you not try to achieve the same with the palo (just as you do outbound traffic?)
12-01-2022 06:03 AM
Also can you share an example of where the application gateway would fit into this gateway load balancer architecture? What does it offer than floating IP from the standard load balancer does not?
12-01-2022 11:13 AM
I'm guessing this architecture isn't really compatabile if you're using one set of Palos to manage both North/South and east/west traffic? Gateway load balancer is only useful for public IP, or load balancer with public IP but not directing vnets, or allowing outbound access from endpoints?
01-24-2023 02:14 PM
Hello, We are running into this same design constraint. Are you able to share what route you ended up going with this design.
Honestly the three options we are seeing is, route traffic through App GW only, Use Azure FD, or use Palo WAAS.
05-17-2024 12:12 AM - edited 05-17-2024 03:38 AM
Actually I cannot imagine why this design wouldn't work with a Paloalto as well.
While it is true that the Azure Firewall is "not just a VM", I do believe that in the background it actually is >90% the same setup as with any 3rdParty NVA. They will use some pool of VMs, they are using some sort of LB(s) in front of it. That is why they also have the same limitations, for example for session timeout (which is the LB session timeout in fact). On Internet Inbound they also do SNAT to the FW interface IP so they probably also put a Public Standard LB in front of the pool of VMs, then put the FWs as backend and do SNAT and DNAT on the Firewalls.
So for me, Azure Firewall is just a managed service but there is no additional magic happening. The same is true for AWS Network Firewall by the way.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
