Palo Alto and Azure Application Gateway

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Palo Alto and Azure Application Gateway

L3 Networker

Hello

 

I'm deploying infrastructure on Azure with Palo Alto firewall. We will host web application (appli1.company.com & appli2.company.com) on a vnet dmz. My design is based on Hub/Spoke configuration and I configured an vNet Peering between my DMZ vnet and my Hub where is hosted the firewall.

 

I would like to be able to access from Internet to appli1.company.com or appli2.company.com. For that, I added an Azure Application Gateway. I configured the Application Gateway with an public IP and backend pools to the vm-series. I configured an listen base on TCP_80 to test to access to my application via this port for testing. Currently, this is not working, I have this error :

jeromecarrier_0-1666942498038.png

 

When I try fom a computer on Internet to access to appli1.company.com, there is no traffic on my Palo Alto. Is my approach is correct and do you have an idea where the issue come from ? 

 

My desing:

jeromecarrier_1-1666942586263.png

 

BR

Jerome

 

 

 

 

2 REPLIES 2

L4 Transporter

@jeromecarrier I am assuming you are using private external IP of Firewall in backend pool. Because in our case there is no UDR on the Application Gateway subnet.

You will need to setup routes on PA and the vnet/subnets correctly.

When I set it up, I had to NAT source addresses of Application Gateway as well to internal IP of firewall.

Hello

I have problem to configure a NAT rule to access our different internal webservers from outside based on URL (https://apptestdsiweb1.company.com to apptestdsiweb1.localnet server, https://apptestdsiweb2.company.com to apptestdsiweb2.localnet server). Our dns entries for our application have the public IP of ApplicationGateway.

 

So I try another approach : for each application, I configure a dedicated listerner with a dedicated port for the backend (10.110.129.4 8000 or 8001). When I use a listener with a standard port (80), the access is working for https://apptestdsiweb1.company.com. But when I want to create a dedicated listener with, for each listener, a port dedicated on the backend (Palo Alto firewall), I'm not able to reach https://apptestdsiweb1.company.com or https://apptestdsiweb2.company.com

 

Can you help me ? 

BR

 

Here my design

jeromecarrier_1-1667577060527.png

Here the NAT rules

jeromecarrier_2-1667577236059.png

 

 

 

  • 1872 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!