TL;DR Summary
Azure Local SDN (formerly Azure Stack HCI SDN) provides powerful native microsegmentation and routing capabilities. But for organizations with existing investments in Palo Alto Networks or Fortinet firewalls—or specific compliance mandates—integrating these third-party Network Virtual Appliances (NVAs) remains a strategic choice.
In this article, we explore the how, why, and when of embedding third-party firewalls into Azure Local SDN topologies. From integration models and routing patterns to Bicep deployment examples and real-world scenarios, we break it all down.
What is Azure Local SDN?
Azure Local SDN is Microsoft’s on-prem Software Defined Networking solution tightly coupled with Azure Stack HCI, now rebranded under the Azure Local umbrella. It brings Azure-style networking capabilities—virtual networks, distributed firewalling, load balancing, and multi-tenant isolation—to edge and hybrid data centers.
Core Features:
- Virtual Network Manager (VNM)-style policy control
- Network Controllers managing SDN host agents
- Layer 3 routing, NAT, and ACL enforcement
- Integrated with Windows Admin Center and PowerShell
Native firewalling is possible using Access Control Lists (ACLs) on SDN virtual subnets, but there are use cases where third-party NGFWs are necessary.
Why Use Third-Party Firewalls in Azure Local SDN?
While Azure Local provides built-in filtering and routing, NVAs like Palo Alto VM-Series and FortiGate-VM offer:
| Benefit | Detail |
|---|---|
| L7 Inspection | Application-aware rules, SSL decryption, malware filtering |
| Unified Policy | Consistent policy with existing cloud and on-prem appliances |
| Compliance | Required for PCI-DSS, HIPAA, or DoD STIGs in certain industries |
| Logging & SIEM Integration | Advanced telemetry and SOC integration |
| Advanced VPN/Segmentation | Multi-context routing, IPsec tunnels, ZTNA edge control |
If your security team already uses centralized Panorama or FortiManager, extending these policies to your Azure Local environment is straightforward with NVAs.
Integration Models for NVAs in Azure Local
There are three common patterns to integrate Palo Alto or Fortinet firewalls into your SDN topology:
1. Bump-in-the-Wire (Inline Transparent)
- Acts as a layer 2 hop between SDN subnets
- No routing changes required
- Useful for East-West inspection
2. Routed Hop (L3 Gateway)
- NVA sits between internal VNet and SDN gateway
- Handles routing and firewalling together
- Best for North-South perimeter control
3. Policy-Based Forwarding (Selective Routing)
- Use static routes or SDN gateway policies
- Only route sensitive traffic through the NVA
- Optimizes performance and cost
Pro Tip: You can also combine models, such as using inline NVA for East-West and routed hop for North-South traffic.
Deployment Steps: Palo Alto / Fortinet in Azure Local SDN
Step 1: Download the NVA Image
- Use Palo Alto VM-Series QCOW or FortiGate-VM for Hyper-V
- Convert and upload the image to your Azure Local environment
Step 2: Create SDN-Connected VM Networks
PowerShell:
New-VMSwitch -Name "SDNSwitch" -NetAdapterName "vNIC" -EnableSoftwareRsc $false -AllowManagementOS $true
Add-VMSwitchExtensionPortFeature -FeatureName "Microsoft Azure VFP Switch Extension" -SwitchName "SDNSwitch"Step 3: Provision the NVA VM on SDN
Example Bicep for FortiGate-VM:
resource fortiVM 'Microsoft.HCI/virtualMachines@2022-12-15-preview' = {
name: 'FortinetNVA'
location: resourceGroup().location
properties: {
hardwareProfile: {
vmSize: 'Standard_D4s_v3'
}
storageProfile: {
osDisk: {
createOption: 'FromImage'
imageReference: {
publisher: 'fortinet'
offer: 'fortinet_fg-vm'
sku: 'fortinet_fg-vm'
version: 'latest'
}
}
}
networkProfile: {
networkInterfaces: [
{
name: 'nic1'
properties: {
subnet: {
id: '/subscriptions/.../virtualNetworks/sdn-vnet/subnets/internal'
}
}
}
]
}
}
}Step 4: Route Traffic via NVA
- Use static routes in Azure Local SDN
- Or configure the SDN Gateway as the next hop to the NVA
Best Practices for Azure Local + NVA Integration
| Best Practice | Details |
| Redundancy | Deploy HA pairs with floating IPs or SDN load balancing |
| Central Management | Use Panorama/FortiManager for consistent policy |
| Segmentation | Combine Azure SDN ACLs with NVA policies for layered defense |
| Logging | Export logs to Azure Monitor or SIEM via Syslog/CEF |
| Performance Monitoring | Monitor CPU, NIC throughput, and drop rates in WAC/PerfMon |
Tip: Enable VFP logging on Azure Local SDN interfaces to debug traffic drops during NVA policy enforcement.
Comparison Table: Native Firewall vs. NVA Approach
| Feature | Azure Local ACL | Palo Alto / Fortinet NVA |
| L3/L4 Filtering | Yes | Yes |
| Application Awareness | No | Yes |
| Threat Protection | No | Yes |
| Performance | High (kernel-native) | Depends on VM size |
| Cost | Included | Licensing + compute |
| Central Policy Mgmt | Manual | Panorama / FortiManager |
| Compliance Support | Limited | Strong (PCI, HIPAA, DoD) |
Real-World Use Cases
Fortinet with Azure Stack HCI for Defense and Contractor Sites
Source: Fortinet DoD Contractor Case Study
- FortiGate VM deployed alongside Azure Stack HCI workloads
- Met NIST and DoD STIG compliance
- Used FortiManager for policy control
- Segmented tenants and encrypted data paths
Palo Alto Networks for Healthcare SDN with Azure Stack Edge
Source: Palo Alto Healthcare Brief
- VM-Series deployed with Azure Stack HCI and Azure Arc
- HIPAA-compliant with SSL inspection
- Integrated with Azure Monitor for full observability
Fortinet with Azure Hybrid and Kubernetes Edge Gateways
Source: Fortinet IoT Edge Security
- Secured IoT workloads in SDN-enabled VNets
- Used FortiGate VM as East-West inspection node
- Combined FortiManager with Azure VNet microsegmentation
Palo Alto VM-Series on Azure Stack HCI for Financial Sector
Source: Palo Alto Financial Brief
- Deployed in secure on-prem datacenters
- Integrated with Cortex Data Lake and Azure Monitor
- Applied FIPS-validated encryption and banking policies
Final Thoughts
Integrating Palo Alto and Fortinet firewalls into Azure Local SDN gives architects the best of both worlds: Microsoft’s high-performance, cloud-style SDN plus the advanced security controls and compliance of best-in-class third-party appliances.
Whether you’re securing a perimeter, isolating tenants, or meeting audit mandates, NVAs can fill in critical gaps. That said, proper topology planning, redundancy, and routing control are essential for a clean integration.
*The thoughts and opinions in this article are mine and hold no reflect on my employer*