Azure Firewall query

hi SB V​ this is a common design consideration when centralizing security and routing across multiple Azure subscriptions.

Option 1: Azure Firewall in a Hub-and-Spoke Architecture

If your goal is to centrally inspect, filter, and route traffic between spokes (subscriptions) and the internet, Azure Firewall deployed in a central security hub is often the right choice.

How it works:

• You create a hub VNet containing the Azure Firewall.
• All other VNets (from multiple subscriptions) connect via VNet peering or Virtual WAN hubs to this central hub.
• The Firewall manages east-west (inter-VNet) and north-south (internet) traffic.
• You can route all outbound internet traffic to your on-prem firewall (Palo Alto) through VPN or ExpressRoute using User Defined Routes (UDRs).

Pros:

• Full Layer 3–7 inspection (with Threat Intelligence, DNAT, FQDN, and TLS inspection).
• Centralized policy management using Firewall Policy.
• Native integration with Azure Monitor and Sentinel for logging and analytics.
• Works across subscriptions and tenants.

Cons:

• More manual setup for complex routing scenarios.
• Cost can increase with large data throughput.
• If you want dynamic routing and large-scale branch connectivity, Virtual WAN may scale better.

Option 2: Azure Virtual WAN with Secured Virtual Hub

If you’re managing multiple regions, branches, or large-scale environments, consider Azure Virtual WAN with Secured Hub (Azure Firewall Manager).

How it works:

• Provides centralized, automated routing and connectivity between VNets, branches, and on-prem.
• Each region can have a “secured hub” with Azure Firewall managed via Azure Firewall Manager.
• Simplifies global routing — all traffic can be forced through your on-prem Palo Alto firewalls or Azure Firewall as per policy.

Pros:

• Scalable for global/multi-region design.
• Simplified management — no need to manually configure peering/UDRs.
• Integrated with Microsoft’s backbone network for optimized performance.
• Built-in security and routing orchestration with Firewall Manager.

Cons:

• Slightly higher cost for small or single-region environments.
• Less granular control if you need custom routing per subscription.

Recommendation

For a single-region, centralized control model, use a Hub-and-Spoke with Azure Firewall.
For a multi-region, large-scale, or hybrid setup (especially with branch offices), Azure Virtual WAN (Secured Hub) is the better long-term option.

You can also combine both: use Azure Firewall inside a Virtual WAN Secured Hub to route traffic to your Palo Alto firewalls for final outbound inspection.

Hi there,

Good question! I’ve worked on similar setups where companies wanted to route all Azure subscription traffic through one main security layer for better control and security.

From experience:

Azure Firewall is great if you want detailed traffic control, centralized rules, and easy monitoring.

Azure Virtual WAN is better when you have multiple regions or branch offices and need simpler network management.

In your case, Azure Firewall in a hub-and-spoke setup might work best, especially since you also use Palo Alto for on-prem access.

I’m part of the team at Nimus Technologies, and we often help businesses design and set up secure Azure environments like this. Happy to share more ideas if you’d like.

Hope this helps!

For your case, would suggest:

• Use Azure Virtual WAN as the routing backbone to connect all VNets and subscriptions.
• Deploy Azure Firewall inside the Virtual Hub to inspect and control traffic centrally.
• Route internet-bound traffic through the firewall and down to your S2S VPN to the Palo Alto firewalls.
• For inbound public access, assign Azure Public IPs to specific VMs and configure DNAT rules in Azure Firewall.

This setup gives you:

• Centralized control and inspection
• Simplified routing via Virtual WAN
• Flexibility for hybrid connectivity and public access