This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 44%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETY%3C/text%3E%3C/svg%3E)
Greetings,
Something I thought should be relatively simple, seems to be a bit more of a struggle than first expected.
Summary;
Hub & Spoke subscriptions setup. Azure Firewall in Hub Subscription.
S2S VPN connected against Hub-VNET.
Want to be able to access Private Endpoints from our on-premise network.
Private Endpoints live in a spoke VNET/Subnet.
In the GatewaySubnet I have added routes with next hop Virtual Appliance with Azure Firewall IP, for the /16 IP range that is assigned to the spoke VNET. I have also created /32 routes for the Private Endpoint IPs. (Shouldn´t this route the traffic from on-prem through the FW?)
In the subnet where the private endpoints are located, I have enabled the "Private endpoint network policy".
I have tried to create Application Rules in the firewall, from a on-prem IP to the ..azurewebsites.net & database.windows.net FQDNs.
I can´t see any of the traffic in the Azure Firewall logs. Nothing blocked, nothing allowed. Even if I have the explicit /32 routes in the GatewaySubnet.
Starting to get out of ideas on what to try. Any thoughts?
Many thanks!
Hello @Tarjei Ylvisåker ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you would like access Azure Private Endpoints from on-premise via Azure Firewall & S2S VPN.
Could you please confirm the below details?
2) Is there a private DNS zone link created between hub and spoke Vnet?
3) Could you also confirm if you are able to access the Private endpoints from your on-premises bypassing the Azure Firewall?
Regards,
Gita
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 73%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGT%3C/text%3E%3C/svg%3E)
Thanks Gita, in our case App GW and Azure Firewall both resides in Hub ,Routing will be same as you mentioned ?
Hello @Ganesh Thorave ,
I believe you posted this comment by mistake in the different thread. I've answered your question in the below correct thread:
https://learn.microsoft.com/en-us/answers/questions/774683/using-azure-firewall-with-web-application-behind-w.html?childToView=1018726#answer-1018726
Regards,
Gita
Hello @Tarjei Ylvisåker ,
Could you please provide an update on this post and share the requested details for further discussion?
Regards,
Gita
There was missing a route from our on-premises firewall, which was the reason for this not working. Sorted out now, many thanks for the inputs.
Hello @Tarjei Ylvisåker ,
Thank you for the update. Glad to hear that the issue is now resolved.
Regards,
Gita