Cloud NGFW for Azure Virtual WAN
Focus
Focus
Cloud NGFW for Azure

Cloud NGFW for Azure Virtual WAN

Table of Contents

Cloud NGFW for Azure Virtual WAN

Learn about Cloud NGFW deployments in Azure Virtual WAN.
Where Can I Use This?What Do I Need?
  • Cloud NGFW for Azure
  • Cloud NGFW subscription
  • Palo Alto Networks Customer Support Portal account
  • Azure Marketplace subscription
Cloud NGFW for Azure supports a centralized vWAN deployment model. With this model:
  • a centralized vWAN Cloud NGFW is deployed for securing traffic in multiple spoke VNets connected to the Azure Virtual WAN.
  • the vWAN hub is pre-created to allow for integration with the Cloud NGFW.
  • the Cloud NGFW seemlessly integrates into the vWAN hub.
  • routing intent is used to redirect traffic to the Cloud NGFW for inspection.

Centralized vWAN Deployment Model: Internet Egress Traffic Inspection

In this deployment model:
  1. Traffic from a the spoke1 VNet workload VM is destined for the internet.
  2. Traffic destined to the internet from the spoke-1 web server VM is forwarded to the vWAN hub using the VNet connection.
  3. Routing intent on the vWAN hub is used to redirect traffic from the vWAN hub to the Cloud NGFW.
  4. Routing intent is enabled for internet traffic with the Cloud NGFW as a next hop to redirect internet egress traffic to the Cloud NGFW for inspection.
  5. Post inspection source NAT is performed on the Cloud NGFW using the public IP address associated with the Cloud NGFW.
  6. Traffic is now sent out onto the internet.

Centralized vWAN Deployment Model: Internet Ingress Traffic Inspection

In this deployment model:
  1. Traffic from the internet lands on the front-end or public IP address of the Cloud NGFW.
  2. Using routing intent, the traffic is redirected to the Cloud NGFW by the vWAN hub.
  3. The Cloud NGFW performs destination NAT where the destination of the packet is changed from public IP address to the actual spoke VM IP address.
  4. After inspecting the traffic, the Cloud NGFW performs source NAT using the private IP address subnet (which is automatically extracted from the vWAN Hub VNet).
  5. Traffic is now sent to the actual destination (spoke VM) with the source IP address as one of the IP addresses from within the vWAN Hub VNet and the destination IP address as the spoke VM IP.

Centralized vWAN Deployment Model: Internet Ingress via Application Gateway

In this deployment model:
  1. To access backend applications, internet users access the frontend IP address of the Application Gateway. The packet will first land on the frontend IP.
  2. The backend pool of the Application Gateway is a web server IP address that's part of application/spoke VNet.
  3. The application VNet and Application Gateway VNet are connected to Azure Virtual WAN and hence they can talk to each other through the vWAN hub.
  4. The Application Gateway sends the packet to vWAN hub after performing source and destination NAT; the destination will be the actual backend application IP address(192.168.1.10).
  5. Because of routing intent, the vWAN hub forwards the traffic to the Cloud NGFW for inspection.
  6. Post inspection, the vWAN sends the packet to actual backend application that's part of spoke VNet that's connected to the Azure Virtual WAN.

Centralized vWAN Deployment Model: Internet Ingress via Application Gateway

In this deployment model:
  1. To access backend applications, internet users access the frontend IP address of the Application Gateway.
  2. The backend pool of the Application Gateway is a web server IP address that's part of the same VNet.
  3. Using the UDRs associated with the Application Gateway subnet, the gateway sends the packet to vWAN hub after performing source and destination NAT. The source of the packet will be one of the IP addresses of the Application Gateway subnet and the destination will be the actual backend application IP address.
  4. Because of routing intent, the vWAN hub forwards the traffic to the Cloud NGFW for inspection.
  5. Post inspection, the packet is sent back to vWAN hub by the Cloud NGFW.
  6. The vWAN hub sends the packet to actual backend application that is part of spoke VNet that's connected to the Azure Virtual WAN.

Centralized vWAN Deployment Model: East-West Traffic Inspection

In this deployment model:
  1. Traffic from a the spoke-1 VNet workload VM is destined to the spoke-2 VNet workload VM.
  2. Traffic from the spoke-1 VM is forwarded to the Azure Virtual WAN hub based on the VNet connection.
  3. Routing intent enabled for private traffic is used to redirect traffic from the vWAN hub to the Cloud NGFW.
  4. The Cloud NGFW inspects the traffic based on the defined security policies.
  5. Post inspection, the Cloud NGFW is going to forward the traffic to the vWAN hub which in turn sends the traffic to spoke 2 VM.
    There is no Source NAT performed on east-west traffic

Centralized vWAN Deployment Model: East-West Traffic Inspection - On Prem to Cloud

In this deployment model:
  1. Traffic from the on-prem data center is destined to the spoke-2 VNet workload VM.
  2. This traffic is considered as east-west traffic.
  3. Traffic from the on-prem data center is forwarded to the Azure Virtual WAN hub using the VPN tunnel from the on-prem to Azure vWAN.
  4. Routing intent enabled for private traffic is used to redirect traffic from the vWAN hub to the Cloud NGFW.
  5. The Cloud NGFW inspects the traffic based on the defined security policies.
  6. Post inspection, the Cloud NGFW forwards the traffic to vWAN hub which in turn sends the traffic to spoke2 VM.
    There is no Source NAT performed on east-west traffic

Centralized vWAN Deployment Model: East-West vWAN Multi-Hub Traffic Inspection

In this deployment model:
  1. Traffic from a spoke-1 Webserver connected to the vWAN hub-1 is destined to the spoke-2 DB server connected to the vWAN hub-2.
  2. Traffic from Webserver-1 arrives at the vWAN hub-1 because of the VNet connection.
  3. Routing intent configured for private traffic in hub-1 redirects traffic to the Cloud NGFW for inspection.
  4. Post inspection, traffic is sent back to vWAN hub-1.
  5. Since the destination of the traffic is connected to vWAN hub-2, using the hub-to-hub connectivity the traffic is forwarded to vWAN hub-2.
  6. Traffic is received at vWAN hub-2.
  7. Routing intent sends the traffic to the Cloud NGFW connected to hub-2 for inspection.
  8. Post inspection, the traffic is sent back to hub-2.
  9. Using the VNet connection, the vWAN forwards the traffic to the VM in spoke-2 which is the actual destination.