Finalize Azure Configuration

1. Login to the Azure Portal and go into the Resource group that was created via the deployment template select the VNET object.

2. Enter the Peerings configuration section to set up VNET peering between the Prisma SD-WAN VNET and each of your application VNETs.

3. Add a VNET peering relationship from the Prisma SD-WAN VNET to the application VNETs.

   Specify the VNET you wish to peer with from the drop-down, select the check box to allow traffic to and from the remote VNET. Once complete, verify the peering status is connected.

4. In order for return traffic from the application back to the on-premise networks to be sent through the Prisma SD-WAN VPN, add a static virtual appliance route in the application VNET subnet route table pointing back to the ION as the next hop for corporate subnets.

   In the below example, 10.19.2.4 is the IP address of the Peering port of the ION 7K and 10.100.0.0/16 is the summary prefix of all remote sites that have Prisma SD-WAN IONs deployed.

   It is assumed a route table is already deployed within the application VNET for which the application VMs are associated, including the relevant subnet associations.
5. Advertise the Azure application VNET prefixes into the Prisma SD-WAN fabric by defining them on the Azure data center site. From the Prisma SD-WAN portal, go to MapAzure SiteSite to bring up the menu to Add IP Prefixes.

   Once complete, traffic destined to the prefix (10.20.0.0/24) will be sent directly to Azure over one or more Prisma SD-WAN Internet VPN paths.

   This assumes that the traffic destined to these applications and prefixes match a path policy rule that allows VPN over a public path.