We have 2 Palo alto firewalls in Azure using the so called 'load balancer sandwich.' In addition we have a Microsoft ExpressRoute for connectivity to our on prem network. Currently our Expressroute traffic goes around the Palos but the intent is to have the expressroute traffic also go through the Palos.
So if I create a UDR for one of the Subnets to the internal loadbalancer which then routes to either one of the 2 firewalls, I see the traffic going to our expressRoute on prem network fine. But if I initiate the traffic from our datacenter to Azure, the traffic doesn't go through the firewall. I've read that I need to have a udr on the gateway subnet in Azure pointing to the trust interfaces (or in our case the internal load balancer).
From the Palos point of view the expressroute is on the Untrust. and so when I put a udr on the gateway subnet I'm having the return traffic go to the trust interfaces. I've tried to see if i can force the Palos to route the expressroute traffic through the trust interface by creating static routes to either our internal load balancer or the azure gateway. But each configuration breaks connectivity.
My question is do I need the expressroute traffic to be going out the trust and not the untrust interfaces? I'm a little confused. hope someone can shed some light. thanks so much!
I got it working. I created a static route on my Trust-vr for my On prem network - 10.0.0.0/8 that routes to my load balancer on my trust side. Then on the gateway subnet i created a route for my Azure subnet going to my loadbalancer as well and now traffic from my express route is going through my firewall!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!