Name: Day 7 Palo alto on Azure cloud. Understand VNETs connectivity| Palo alto Firewall initial Config
Uploaded: 2026-03-22 21:53:25
Duration: 18 min 6 s

Question 1

How does Azure VNET connectivity work between two subnets without a router?

Accepted Answer

In Azure, you can ping from one subnet VM to another subnet VM because Azure provides internal routing inside the VNET. In my lab, Web (192.168.1.4) can reach DB (192.168.2.4) without me adding any L3 device. That routing is built into Azure’s internal network, and we can’t see their backend design.

Question 2

How do I make a private IP address static for an Azure VM?

Accepted Answer

I do it from the Azure Portal by going to the VM’s Network Interface, then IP configurations. There you change the private IP assignment from Dynamic to Static and save it. I did the same for both my Web and DB VMs so the IP doesn’t change after reboot.

Question 3

How do I set static IPs for Palo Alto interfaces in Azure (MGMT, trust, untrust)?

Accepted Answer

Same method: open each Palo Alto NIC in Azure (management, untrust, trust), go to IP configurations, and set the private IP to Static. I made all three interfaces static so next time the firewall boots, I don’t get a different IP. This is very important before you start building routing, NAT, and security rules.

Question 4

Why can my Azure VM reach the internet without configuring the firewall?

Accepted Answer

Because Azure can send VM traffic to the internet using its default internal network path. I showed it by pinging 8.8.8.8 from the DB VM and it worked without any special configuration. But for a proper security design, we don’t want that shortcut—we want traffic to go through the Palo Alto.

Question 5

How do I configure trust and untrust interfaces on Palo Alto after Azure deployment?

Accepted Answer

I log in to the Palo Alto GUI, go to Network > Interfaces, and configure the ethernet interfaces as Layer 3. Then I create zones like untrust and trust, and assign the correct IP address with /24. After that, I commit the configuration.

Question 6

What is a common mistake when configuring Palo Alto interfaces in Azure?

Accepted Answer

One mistake I showed is assigning the same subnet range on both trusted and untrusted interfaces. My commit failed the first time because I copied the wrong range. After correcting it (untrust in one range and trust in another), the commit was successful.

Question 7

How do I associate a public IP to the untrust interface in Azure for Palo Alto?

Accepted Answer

From the untrust NIC in Azure, go to IP configurations and associate a Public IP address. In my case, I first focused on making the private IP static, and then I associated the public IP on untrust. Trust doesn’t need a public IP in this design.

Day 7 Palo alto on Azure cloud. Understand VNETs connectivity| Palo alto Firewall initial Config

About This Video

Frequently Asked Questions

🎬 More from Bikash's Tech