>
    Strata Copilot
    Azure Virtual WAN with vION CloudBlade Integration
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma SD-WAN
    3. Azure Virtual WAN with vION CloudBlade Integration
    Download PDF
    Prisma SD-WAN

    Azure Virtual WAN with vION CloudBlade Integration

    Table of Contents

    Azure Virtual WAN with vION CloudBlade Integration

    Learn about the Prisma SD-WAN and Azure virtual WAN with vION CloudBlade integration.
    Where Can I Use This?What Do I Need?
    • Prisma SD-WAN (Managed by Strata Cloud Manager)
    • Prisma SD-WAN
    • Azure Virtual WAN with vION CloudBlade
    With the growth of Hybrid Cloud deployments, most enterprises have moved workloads to the cloud and need to enable secured connectivity from branch sites to these application workloads. In addition, enterprises are moving towards hybrid and multi-cloud architecture with their on-premise infrastructure. This transition must work seamlessly while ensuring SLAs (Service Level Agreements) are met for applications hosted on-IaaS, PaaS, SaaS environments, and on-premise with the right level of visibility and security controls.
    The central entity in Azure that provides the branch integrations through vION devices is the Virtual WAN (virtual WAN). Azure Virtual WAN is a networking service with a single operational interface that provides networking, security, and routing functionalities together. These functionalities include branch connectivity through SD-WAN devices (vION), intra-cloud connectivity (transitive connectivity for virtual networks), Azure Firewall, and encryption for private connectivity, amongst others that may be applicable in a typical hybrid cloud integration environment.
    According to Microsoft Azure, the virtual WAN architecture is a hub and spoke architecture with built-in scale and performance for branches (VPN/SD-WAN devices), virtual networks, users (Azure VPN/OpenVPN/IKEv2 clients), and ExpressRoute circuits. In addition, it enables a global transit network architecture, where the cloud-hosted network hub enables transitive connectivity between endpoints that may be distributed across different types of spokes.
    IMAGE SOURCE: Azure Product Documentation

    Prisma SD-WAN and Azure Integration Prerequisites

    The following items are required for configuring Prisma SD-WAN and Azure Virtual WAN with vION CloudBlade:
    Prisma SD-WAN
    • An active Prisma SD-WAN subscription with sufficient licenses to install at least 2 x v7108 IONs per region.
    Azure
    • An Azure account with permissions to create and update Azure Resource Groups, VNET (Virtual Network), and Virtual Machines.
      The Azure vWAN uses the following list of APIs with vION CloudBlade.
      • subscriptions.get()
      • subscriptions.list_locations()
      • resource_groups.create_or_update()
      • resource_groups.check_existence()
      • resource_groups.get()
      • resource_groups.begin_delete()
      • resources.list_by_resource_group()
      • resources.get()
      • resources.get_by_id()
      • resources.begin_delete_by_id()
      • deployments.get()
      • deployments.begin_validate()
      • deployments.begin_create_or_update()
      • deployments.list_by_resource_group()
      • deployments.delete()
      • subnets.begin_create_or_update()
      • network_interfaces.begin_create_or_update()
      • security_rules.begin_create_or_update()
      • virtual_hub_bgp_connection.begin_create_or_update()
      • virtual_hub_bgp_connections.list()
      • virtual_hub_bgp_connection.begin_delete()
      • hub_virtual_network_connections.get()
      • hub_virtual_network_connections.list()
      • hub_virtual_network_connections.begin_delete()
      • virtual_wans.get()
      • virtual_hubs.begin_delete()
      • network_security_groups.get()
      • resources()
      • AuthenticationContext()
      • acquire_token_with_client_credentials()
    • As the Azure vWAN with vION CloudBlade automates the deployments of Virtual Machines through API calls, you must enable the programmatic access through the Azure portal.
    • An active Azure marketplace subscription to the Prisma SD-WAN Virtual ION Appliance.
    • The Azure vWAN with vION CloudBlade utilizes the ION images for deployments in the Azure marketplace. To begin using these resources (through the CloudBlade), you must accept the Azure Marketplace terms and conditions and follow the guidelines of usage of the marketplace listings.
    • The CloudBlade will require Read Access to Virtual Network resources in Brownfield deployment scenarios to determine the attached Virtual Networks and their associated address prefixes. You can access the Virtual Networks via the Virtual Network Connections to the identified Virtual WAN entity in Brownfield deployment scenarios.
      In addition, the CloudBlade will also need read/write access in Brownfield scenarios to Virtual WAN and Virtual Hub resources to configure BGP peers necessary for the exchange of routes with the Virtual Hub(s) to remote Virtual Networks. The read/write access needs to be explicitly provided in the case where the Virtual Networks or the Virtual WAN/Virtual Hub resources were created with a different subscription and, therefore, associated credentials than what is used by the CloudBlade. Refer to Azure resource management and subscriptions for more information.
    • A resource group with Azure vWAN with a single or multiple Virtual Hub, defined for the regions of deployment (Brownfield Deployments only).
    • To enable the Azure BGP peering with the Virtual WAN hub feature in this release, you must contact the Azure team with the Resource ID of your Virtual WAN resource.
    • All regions must support the Azure Virtual Machine model Standard D8s v3 (8 vCPUs, 32 GiB).

    © 2026 Palo Alto Networks, Inc. All rights reserved.