Palo Alto with Azure Application Gateway Architecture Differs from Microsofts?

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Palo Alto with Azure Application Gateway Architecture Differs from Microsofts?

L1 Bithead

The palo alto architecture for using app gateway in front of your firewall seems to different from Microsoft.  Palo wants you to set your backend pools of appgateway to the frontend of the palo (public ip side) and then use NAT to translate, This has downsides because you have to use a bunch of different ports as you only have one front end IP on the palo....


but with microsoft's model they actually set the app gateway backend pools to the actual workload and then just route through the question is why wouldn't or couldn't you do the same with the palo?


MS Ref (app gateway in front of firewall): Firewall, App Gateway for virtual networks - Azure Example Scenarios | Microsoft Learn

Palo Ref:Securing Application in Azure Reference Architeccture Guide (


Hi @JWhites ,

The link you have provided is describing setup in which you use the native Azure Firewall. That is completely different from using Palo Alto FW in Azure.


If you want to use Palo FW, in simple terms Azure will consider it as simple VM. So you will need to find a way to put this VM in the path of the traffic. Azure doesn't allow you to just put a VM in the path between the AppGW and backend pool. Azure Firewall is not simple VM, but native component  that is why you can do it this way.


I would strongly recommend you to consider Deploy the VM-Series with the Azure Gateway Load Balancer (

Gateway Load Balancer is complete game changes especially for inbound traffic and I am surprise they still haven't included it in the Deployment and Reference Architecture Guide.


Using Palo as backend pool member of our AppGW was the only way before, but more modern way will be to use GWLB.


Here are some more materials about Palo FW and Azure GWLB




Thank you for the materials.  I will look at them.


Yes I understand that azure firewall is different from palo alto, but you can definitely send traffic right through the palo using UDR which is what they are doing in the MS architecture.  I'm asking why would you not try to achieve the same with the palo (just as you do outbound traffic?)

Also can you share an example of where the application gateway would fit into this gateway load balancer architecture? What does it offer than floating IP from the standard load balancer does not?

I'm guessing this architecture isn't really compatabile if you're using one set of Palos to manage both North/South and east/west traffic?  Gateway load balancer is only useful for public IP, or load balancer with public IP but not directing vnets, or allowing outbound access from endpoints?

Hello, We are running into this same design constraint. Are you able to share what route you ended up going with this design.

Honestly the three options we are seeing is, route traffic through App GW only, Use Azure FD, or use Palo WAAS.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!