Name: Day 5 Palo alto VM-Serise on Azure cloud. Understanding of Subnet, System route, UDR and NSGs
Uploaded: 2026-01-11 19:30:00
Duration: 12 min 44 s

Question 1

What is a Virtual Network and subnet in Azure for Palo Alto VM-Series deployment?

Accepted Answer

In Azure, I create a Virtual Network (VNet) and then I segregate it into multiple subnets based on my design. Each subnet will host virtual devices like VMs, similar to how physical PCs and servers sit inside a physical subnet. This separation is important because later, when I build the firewall topology, traffic flow depends on which subnet a VM belongs to.

Question 2

How many usable IP addresses do I get in an Azure /24 subnet?

Accepted Answer

In traditional networking, a /24 gives you 254 usable IPs after removing network and broadcast. But in Azure, some IPs are reserved internally—like .1 for gateway and .2/.3 for DNS in my example. That’s why I showed you that the usable IP count becomes less (example: 251 usable).

Question 3

What are Azure system routes and why do they matter for traffic flow?

Accepted Answer

System routes are automatically created by Azure networking when you deploy resources like a VM inside a subnet. Because of these routes, a VM can communicate to other subnets without you manually defining a gateway. The limitation is you can’t force a specific path using system routes because they are auto-generated.

Question 4

What is UDR (User Defined Route) in Azure and when should I use it?

Accepted Answer

UDR is how I manually control the path of traffic in Azure when system routes are not enough. For example, if a web VM wants to reach a SQL VM, I can force that traffic to go via my firewall first. This is critical in firewall deployments because I want the firewall to inspect and decide whether to allow the traffic.

Question 5

How do I force Azure subnet-to-subnet traffic to go through a firewall?

Accepted Answer

I use UDR to point the destination subnet route to the firewall as the next hop. That way, even though system routes would normally allow direct routing, I’m influencing the traffic direction manually. This is exactly what we need when we deploy Palo Alto in Azure and want proper inspection.

Question 6

What is an NSG (Network Security Group) and where can I apply it?

Accepted Answer

NSG is basically a set of rules to control traffic—what is allowed and what is blocked. I can apply NSG rules at the subnet level or directly to a VM. For example, if a VM is exposed to internet, I can allow only HTTP/HTTPS and block all other ports.

Question 7

Why is understanding subnet, routes, UDR, and NSG important before doing Palo Alto Azure labs?

Accepted Answer

Because these are the base terms that decide how traffic moves inside Azure cloud. If you don’t understand them, then when I start building the topology and doing the firewall labs, it will be a gray area and you won’t be able to follow the flow. Once this foundation is clear, the upcoming traffic-flow diagrams and configurations will make sense.

Day 5 Palo alto VM-Serise on Azure cloud. Understanding of Subnet, System route, UDR and NSGs

🛍️ Products Mentioned (2)

Paloaltonetworks Product

For Palo Alto Documentation

About This Video

Frequently Asked Questions

🎬 More from Bikash's Tech