Cloud NGFW for Azure
    : Deploy the Cloud NGFW in a vWAN
    Focus
    Download PDF
    Focus
    1. Home
    2. Azure
    3. Cloud NGFW for Azure
    4. Deploy Cloud NGFW for Azure
    5. Deploy the Cloud NGFW in a vWAN
    Download PDF

    Cloud NGFW for Azure

    Deploy the Cloud NGFW in a vWAN

    Table of Contents

    Deploy the Cloud NGFW in a vWAN

    Deploy CNGFW in a vWAN.
    You can deploy the Cloud NGFW in the vWAN hub as a scalable firewall solution to secure traffic between critical workloads hosted in a global hybrid network between Azure and on-premises. For more information on Azure vWAN and available features and capabilities, see the Azure Virtual WAN documentation.
    Consider the following when deploying the Cloud NGFW in a vWAN:
    • One private IP address is used for an NGFW resource. For vWAN environments, configure the vWAN hub routing policy to hairpin traffic for the service. That is, the traffic exits an interface and returns before going out to the internet.
    • It may take approximately 30 minutes to provision a new vWAN hub. You can verify the status of a newly created vWAN hub in the Routing Status field in the Essentials section of the Overview page.
    The Cloud NGFW for Azure vWAN deployment:
    • Fully integrates into the Azure Virtual WAN using the SaaS framework.
    • Deploys into the vWAN virtual hub.
    • Utilizes routing intent and policy rules to control which traffic gets inspected by the Cloud NGFW service.
    • Enables enforcement of consistent Security policy for the inter-hub and interregion traffic
    When configuring DNAT rules in a vWAN hub, the ingress flow works regardless of the routing intent due to SNAT performed on the trust interface.
    Prerequisites
    To deploy Cloud NGFW in a vWAN, you will need an Azure subscription. This subscription should have an owner or a contributor role.
    Cloud NGFW requires a minimum of 40 IP addresses for the network virtual appliance (NVA). The private subnet for the hub should be at least /21 so that enough IP addresses can be allocated for NVA utilization. For more information on the limitations for the vWAN hub, refer to the Microsoft Virtual WAN FAQ.
    1. Log in to the Azure portal and search for Virtual WAN. Click Create to create a Virtual WAN Service.
    2. After successfully creating the Virtual WAN service, click Go to resource.
    3. Add a hub to the Virtual WAN you created. Select Connectivity > Hubs. Click New Hub.
    4. Configure Virtual Hub Details. Specify the hub private address and virtual hub capacity, then click Next: Site to Site.
    5. After validating the configuration, click Create to create the virtual WAN hub.
    6. Verify that the Routing status is Provisioned.
      It may take approximately 30 minutes to provision a new vWAN hub. Use the Overview page to view routing status.
    7. Log in to the Azure portal and search for Cloud NGFWs by Palo Alto Networks.
    8. Click Cloud NGFWs by Palo Alto Networks to start creating the Palo Alto Networks Cloud NGFW service for Azure.
    9. In the Cloud NGFWs screen, click Create; this landing page is prepopulated with Cloud NGFW instances if you have previously created the resource.
    10. In the Create Palo Alto Networks Cloud NGFW screen, enter basic configuration information in the Project details section.
      Use the information in the following table to provide Project details.
      FieldDescription
      SubscriptionAutomatically selected based on the subscription used while logged in.
      Resource GroupUse one of the existing resource groups or create a new one (using the Create New option) in which the Cloud NGFW resource is created.
      Firewall NameName of the Cloud NGFW firewall resource.
      RegionRegion in which Cloud NGFW is provisioned.
    11. Click Next: Networking. Provide information for your networking environment. Choose the Virtual WAN Hub for the Network Type. In the Virtual WAN Hub Details section, select the virtual hub name you created previously from the drop-down menu. Specify public IP addresses, and the Source NAT option if address translation is used on traffic going out to the internet.
    12. Click Next: Rulestack to create a local rulestack where rules are defined; this is a placeholder for local rulestack creation; click Create new or Use existing (if a local rulestack already exists, select it from the drop-down menu). After you create the Cloud NGFW resource, you can modify this rulestack to add or edit rules, FQDN, and the prefix list.
    13. Click Next: DNS Proxy. By default, the DNS proxy is disabled. You can configure the Cloud NGFW to inspect all DNS traffic by acting as a proxy for vWAN resources. When configured, the DNS Proxy forwards the DNS request to the default Azure DNS server, or a DNS server you specify.
    14. Click Next: Tags to specify tags for your Azure requirements. Tags are predefined labels that can help you manage the vulnerabilities in your environment and view consolidated billing related to your Azure account They are centrally defined and are set to vulnerabilities and as policy exceptions.
      Use tags for:
      • Vulnerability labels. They provide a convenient way to categorize the vulnerabilities in your environment.
      • Policy exceptions. They can be a part of your rules to have a specific effect on tagged vulnerabilities.
      • View consolidated billing for your Azure account.
        Tags are useful when you have large container deployments with multiple teams working in the same environment. For example, you might have different teams handling different types of vulnerabilities. Then you can set tags to define responsibilities over vulnerabilities. Other uses would be to set the status of fixing the vulnerability, or to mark vulnerabilities to ignore when they are a known problem that can't be fixed in the near future.
        You can define as many tags as you like. For information about creating tags for your Azure account, see Use tags to organize your Azure resources and management hierarchy.
    15. Click Next:Terms and accept the terms and the conditions for the deployment.
    16. Click Review + create to validate your Azure subscription for the Cloud NGFW resource. The resource is validated first, then created. The screen shows Validation Passed. Click Create to deploy the Cloud NGFW service.
      After creating the Cloud NGFW service the deployment progress is displayed.
      Deploying a Cloud NGFW resource takes approximately 30 minutes to complete.
      On a successful deployment, the following screen appears.
    17. Four resources are created, including Cloud NGFW, a local rulestack, public IP address and the Cloud-nva.
    18. After creating the Cloud NGFW resource, select it to verify that the provisioning state is Succeeded. This page also displays the public and private IP addresses that are associated with the Cloud NGFW service. Make sure that the Network type is vWAN.

    Verify the Deployment of the Cloud NGFW in a vWAN

    After successfully creating the Cloud NGFW service for the vWAN network type, verify that the Cloud NGFW was added as a SaaS Solution for the vWAN.
    1. Go to the Virtual Hub that was used while creating the Cloud NGFW service. In the Third-party providers section, click SaaS Solutions.
    2. Verify that the Cloud NGFW was created; it's added as a SaaS solution to this hub. In the SaaS Solutions section, select Click here.
      Information related to the vWAN deployment appears.

    © 2025 Palo Alto Networks, Inc. All rights reserved.