Forum Discussion

SB V's avatar
SB V
Brass Contributor
Jun 04, 2021

Azure Firewall query

Hi Community,   Our customer has a security layer subscription which they want to route and control all other subscription traffic via.     Basically, they want to remove direct VPeers between su...
azure firewall
virtual network
virtual wan
Surya_Narayana's avatar
Surya_Narayana
MCT
Oct 28, 2025

hi SB V​ this is a common design consideration when centralizing security and routing across multiple Azure subscriptions.

Option 1: Azure Firewall in a Hub-and-Spoke Architecture

If your goal is to centrally inspect, filter, and route traffic between spokes (subscriptions) and the internet, Azure Firewall deployed in a central security hub is often the right choice.

How it works:

  • You create a hub VNet containing the Azure Firewall.
  • All other VNets (from multiple subscriptions) connect via VNet peering or Virtual WAN hubs to this central hub.
  • The Firewall manages east-west (inter-VNet) and north-south (internet) traffic.
  • You can route all outbound internet traffic to your on-prem firewall (Palo Alto) through VPN or ExpressRoute using User Defined Routes (UDRs).

Pros:

  • Full Layer 3–7 inspection (with Threat Intelligence, DNAT, FQDN, and TLS inspection).
  • Centralized policy management using Firewall Policy.
  • Native integration with Azure Monitor and Sentinel for logging and analytics.
  • Works across subscriptions and tenants.

Cons:

  • More manual setup for complex routing scenarios.
  • Cost can increase with large data throughput.
  • If you want dynamic routing and large-scale branch connectivity, Virtual WAN may scale better.

Option 2: Azure Virtual WAN with Secured Virtual Hub

If you’re managing multiple regions, branches, or large-scale environments, consider Azure Virtual WAN with Secured Hub (Azure Firewall Manager).

How it works:

  • Provides centralized, automated routing and connectivity between VNets, branches, and on-prem.
  • Each region can have a “secured hub” with Azure Firewall managed via Azure Firewall Manager.
  • Simplifies global routing — all traffic can be forced through your on-prem Palo Alto firewalls or Azure Firewall as per policy.

Pros:

  • Scalable for global/multi-region design.
  • Simplified management — no need to manually configure peering/UDRs.
  • Integrated with Microsoft’s backbone network for optimized performance.
  • Built-in security and routing orchestration with Firewall Manager.

Cons:

  • Slightly higher cost for small or single-region environments.
  • Less granular control if you need custom routing per subscription.

Recommendation

For a single-region, centralized control model, use a Hub-and-Spoke with Azure Firewall.
For a multi-region, large-scale, or hybrid setup (especially with branch offices), Azure Virtual WAN (Secured Hub) is the better long-term option.

You can also combine both: use Azure Firewall inside a Virtual WAN Secured Hub to route traffic to your Palo Alto firewalls for final outbound inspection.

 

Resources