The palo alto architecture for using app gateway in front of your firewall seems to different from Microsoft. Palo wants you to set your backend pools of appgateway to the frontend of the palo (public ip side) and then use NAT to translate, This has downsides because you have to use a bunch of different ports as you only have one front end IP on the palo....
but with microsoft's model they actually set the app gateway backend pools to the actual workload and then just route through the firewall....my question is why wouldn't or couldn't you do the same with the palo?
MS Ref (app gateway in front of firewall): Firewall, App Gateway for virtual networks - Azure Example Scenarios | Microsoft Learn
Hi @JWhites ,
The link you have provided is describing setup in which you use the native Azure Firewall. That is completely different from using Palo Alto FW in Azure.
If you want to use Palo FW, in simple terms Azure will consider it as simple VM. So you will need to find a way to put this VM in the path of the traffic. Azure doesn't allow you to just put a VM in the path between the AppGW and backend pool. Azure Firewall is not simple VM, but native component that is why you can do it this way.
I would strongly recommend you to consider Deploy the VM-Series with the Azure Gateway Load Balancer (paloaltonetworks.com)
Gateway Load Balancer is complete game changes especially for inbound traffic and I am surprise they still haven't included it in the Deployment and Reference Architecture Guide.
Using Palo as backend pool member of our AppGW was the only way before, but more modern way will be to use GWLB.
Here are some more materials about Palo FW and Azure GWLB
Thank you for the materials. I will look at them.
Yes I understand that azure firewall is different from palo alto, but you can definitely send traffic right through the palo using UDR which is what they are doing in the MS architecture. I'm asking why would you not try to achieve the same with the palo (just as you do outbound traffic?)
I'm guessing this architecture isn't really compatabile if you're using one set of Palos to manage both North/South and east/west traffic? Gateway load balancer is only useful for public IP, or load balancer with public IP but not directing vnets, or allowing outbound access from endpoints?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!