Forum Discussion
Azure Firewall query
Hi Community,
Our customer has a security layer subscription which they want to route and control all other subscription traffic via.
Basically, they want to remove direct VPeers between subscriptions and to configure Azure Firewalls to allow them to control and route all other subscriptions traffic. All internet traffic would then be routed down our S2S VPN to our Palo Alto’s in Greenwich for internet access (both ways).
However, there may be some machines they would assign Azure Public IP’s to for inbound web server connectivity, but all other access from external clients would be routed via the Palos inbound.
Questions:
- Which one (Azure Firewall or Azure WAN) would be best option?
- What are the pros and cons?
Any reference would be of great help.
1 Reply
For your case, would suggest:
- Use Azure Virtual WAN as the routing backbone to connect all VNets and subscriptions.
- Deploy Azure Firewall inside the Virtual Hub to inspect and control traffic centrally.
- Route internet-bound traffic through the firewall and down to your S2S VPN to the Palo Alto firewalls.
- For inbound public access, assign Azure Public IPs to specific VMs and configure DNAT rules in Azure Firewall.
This setup gives you:
- Centralized control and inspection
- Simplified routing via Virtual WAN
- Flexibility for hybrid connectivity and public access
