Introduction

Azure Virtual WAN is a comprehensive networking service that provides optimized and automated branch connectivity to, and through, Azure. It enables you to connect your branches, remote users, and data centers to Azure and each other using a combination of site-to-site VPN, point-to-site VPN, and ExpressRoute connections. One of the key features of Azure Virtual WAN is its ability to integrate third-party Network Virtual Appliances (NVAs), such as Palo Alto Networks VM-Series, to enhance security and connectivity.

Step-by-Step Implementation Guide

Prerequisites

Before you begin, ensure you have the following:

• An Azure subscription
• Bicep CLI installed
• Visual Studio Code with Bicep extension
• Basic understanding of Azure networking concepts

Using Bicep to Integrate Palo Alto NVA

Step 1: Define the Bicep File

Create a new Bicep file (e.g., virtual-wan-nva.bicep) and define the parameters and resources needed for the Virtual WAN and Palo Alto NVA.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

param location string = resourceGroup().location
param virtualWanName string = 'MyVirtualWAN'
param virtualHubName string = 'MyVirtualHub'
param nvaName string = 'MyPaloAltoNVA'
param addressSpace string = '10.0.0.0/16'

resource virtualWan 'Microsoft.Network/virtualWans@2023-02-01' = {
  name: virtualWanName
  location: location
  properties: {
    type: 'Standard'
  }
}

resource virtualHub 'Microsoft.Network/virtualHubs@2023-02-01' = {
  name: virtualHubName
  location: location
  properties: {
    addressPrefix: addressSpace
    virtualWan: {
      id: virtualWan.id
    }
  }
}

resource nva 'Microsoft.Network/virtualAppliances@2023-02-01' = {
  name: nvaName
  location: location
  properties: {
    virtualHub: {
      id: virtualHub.id
    }
    nvaSku: {
      name: 'VM-Series'
      vendor: 'PaloAltoNetworks'
    }
    autoScaleConfiguration: {
      bounds: {
        min: 2
        max: 10
      }
    }
  }
}

Step 2: Deploy the Bicep File

Use the Azure CLI to deploy the Bicep file to your Azure subscription.

1

az deployment group create --resource-group <Your-Resource-Group> --template-file virtual-wan-nva.bicep

Step 3: Verify the Resources

After deployment, verify that the Virtual WAN and Palo Alto NVA resources have been created and are configured as expected. You can do this by navigating to the Azure portal and checking the resources under the Virtual WAN and Virtual Hub sections.

Conclusion

Integrating third-party NVAs like Palo Alto Networks VM-Series with Azure Virtual WAN using Bicep provides a streamlined and efficient way to enhance your network security and connectivity. By defining resources as code, you can ensure consistency, simplify management, and leverage DevOps practices for continuous integration and deployment. Azure Virtual WAN enhances your ability to connect and manage your network resources seamlessly.

Learn More

For more detailed information and tutorials, visit the following Microsoft Learn resources:

• About Network Virtual Appliances - Virtual WAN hub
• Scenario: Route traffic through a Network Virtual Appliance (NVA)
• Third-party integrations with Virtual WAN Hub