How to route all incoming traffic from on premise via Azure Firewall

Abdullah Alattar 92 Reputation points
2023-04-20T00:31:52.7466667+00:00

I have site to site VPN i created Azure firewall on same virtual network as Gateway. I have Hub and Spoke network topology. I want all the traffic coming from on-premise to be routed through Azure Firewall.

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,556 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
674 questions
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 49,651 Reputation points Microsoft Employee
    2023-04-20T10:42:25.92+00:00

    Hello @Abdullah Alattar ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like to route all your S2S VPN incoming traffic from on premise via Azure Firewall.

    In order to setup a Hub and Spoke architecture with an Azure Firewall and route the S2S VPN traffic via the Firewall, you will have to:

    1# Deploy the Azure Firewall in the Hub Vnet (Hub Vnet is the Vnet where your VPN gateway is deployed).

    2# Peer the Hub and Spoke Vnets with below options for your spokes to use the hub VPN gateway to communicate with remote (on-premises) networks:

    • Configure the peering connection in the hub to allow gateway transit.
    • Configure the peering connection in each spoke to use remote gateways.
    • Configure all peering connections to allow forwarded traffic.

    3# For on-premises to Azure traffic:

    Create User Defined Routes (UDRs) on the hub VPN gateway subnet with the address spaces of your hub and spoke Vnets pointing to the Azure Firewall IP address as the next hop.

    4# For Azure to On-premises traffic:

    Create User Defined Routes (UDRs) on the spoke subnets with the destination address space of your on-premises network pointing to the Azure Firewall IP address as the next hop.

    Below are a couple of Hub and Spoke architectures for your reference:

    https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli

    https://learn.microsoft.com/en-us/azure/firewall/tutorial-hybrid-ps

    https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/hub-spoke-network-topology

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" below if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.