External Public IPs for Azure vWAN SaaS Solution

Raviraj Velankar 111 Reputation points
2024-10-11T17:33:04.2566667+00:00

Hello Experts,

I have following query,

I have third party (PA FW) deployed in Azure behind Azure external LB. There are couple of Public front-end IPs configured on external LB which is used for incoming internet traffic for web applications. There is destination NAT configured in PA FWs for traffic destined for internal VMs which has web application. However, if there is requirement to migrate it to Azure virtual wan with integrated SaaS solution (PA FW as SaaS) then is it feasible to use same Public IPs (which is currently configured as Front-end IPs on Azure external LB) and whether we can configure more than one Public IP addresses in SaaS based PA FW untrust or external interface. If it is not feasible then what would approach to be taken to migrate those public front-end IPs from Azure external LB to Azure vWAN based SaaS firewall. Thank you.

Azure Virtual WAN
Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
229 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Sai Prasanna Sinde 1,265 Reputation points Microsoft Vendor
    2024-10-16T09:56:19.9833333+00:00

    Hi @Raviraj Velankar,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    We understand that you want to know whether it is feasible to dis-associate Public IPs from Azure External Load balancer and move it to Subscription where Azure virtual WAN & SaaS firewall is present and can use same Public IPs in new DNAT rules in SaaS firewall.

    1. It is possible to disassociate the public ip from the azure external load balancer and you can move them to a subscription where azure vWAN and Firewall present.
    2. When you disassociate a public ip from an azure external load balancer, it will become available for use the other resources. You can associate this public ip to your firewall in vWAN.

    Disassociate the public IP from external load balancer:

    • Go to azure portal and search for load balancer > Frontend IP configuration > Public IP > Disassociate.
    • If that doesn't work: Go to load balancer > Frontend IP configuration > Select the public ip > Choose the IP type as IP prefix and create a new IP prefix and save it.
    • Search for Public IP address and select the one you want to disassociate and disassociate the ip from load balancer.

    Associate the Public IP with Firewall in Azure vWAN:

    • Go to > Firewall > Public IP configuration > Click on add a public ip configuration and associate the disassociated public ip of external load balancer.
    • Go to rules and create a DNAT rule by using the new associated public ip.

    Note

    • You can't update the IP address if the firewall's existing IP has any DNAT rule associated with it.
    • Make sure you do not have any DNAT rules or delete them and then recreate them once you updated the IP Addresses.

    Kindly let us know if the above helps or you need further assistance on this issue.

    If this answers your query, please do click **Accept Answer** and **Yes** for was this answer helpful so that other community members can find the right answers.

    Thanks,

    Sai Prasanna.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.