Share via

Can i deploy SaaS - Palo alto firewall and silver peak SD wan NVA in Same vWAN hub? Any issues with routing?

AzurePro 60 Reputation points
2025-11-08T18:10:00.5433333+00:00

Can i deploy SaaS - Palo alto firewall and silver peak SD wan NVA in Same vWAN hub? Any issues with routing?

Azure Virtual WAN
Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2025-11-08T18:10:12.6566667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    You cannot deploy both a Palo Alto Networks SaaS firewall and a Silver Peak SD-WAN NVA in the same Virtual WAN hub. Currently, the routing intent configuration does not support routing between an SD-WAN NVA and a Firewall NVA (or SaaS solution) deployed in the same Virtual hub. Instead, you would need to deploy them in different Virtual Hubs or deploy the SD-WAN NVA in a spoke Virtual Network connected to the hub and leverage BGP peering capabilities.

    References:

    0 comments
  2. Ravi Varma Mudduluru 3,625 Reputation points Microsoft External Staff Moderator
    2025-11-10T14:50:44.57+00:00

    Hello @AzurePro,

    Thanks for reaching out to Microsoft Q&A.

    I understand that you're looking to deploy both a Palo Alto firewall and Silver Peak SD-WAN NVA in the same Virtual WAN hub and are wondering about any potential routing issues.

    No, this is not supported. Azure Virtual WAN currently does not allow multiple NVAs with different roles (e.g., SD-WAN and Firewall) in the same Virtual WAN hub when using routing intent.

    Routing intent configuration does not support routing between an SD-WAN NVA and a Firewall NVA (or SaaS firewall) deployed in the same hub.

    Virtual WAN hubs are designed for single routing intent per hub (e.g., Internet, Private, or Default).

    When you deploy Palo Alto Cloud NGFW (SaaS) in a hub, routing intent redirects traffic to that firewall for inspection. Adding an SD-WAN NVA in the same hub would conflict with this routing logic.

    Below are the recommended options you can try:

    Deploy one hub for Palo Alto Cloud NGFW SaaS and another hub for Silver Peak SD-WAN NVA. Use inter-hub connectivity or hub-and-spoke architecture for traffic flow between hubs.

    Deploy the SD-WAN NVA in a spoke VNet connected to the vWAN hub hosting Palo Alto NGFW. Use BGP peering or static routes for connectivity.

    Reference Document:
    https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-routing-policies#known-limitations

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.