How to route specific traffic through Azure Firewall via Site 2 Site BGP enabled VPN

Question

I have two virtual networks on Azure: Vnet1 (10.1.0.0/16) and Vnet2 (10.2.0.0/16). These Vnets are connected by an Azure VPN gateway using Site-to-Site BGP enabled VPN. Currently, VM1 can ping VM2, and VM1 can also ping the firewall in Vnet2.

I have created a default route UDR(0.0.0.0/0 -> 10.2.1.4) and attached it to Vnet2-VmSubnet. This allows VM2 to access the internet via the firewall.

If I want to route specific IP traffic from VM1 to the internet via the firewall in Vnet2, How should I create a more specific UDR?

For example, I only want to route 8.8.8.8/32 (a specific internet access) via the firewall, while other traffic still uses the VM's default outbound access.

I have tired to create a UDR(8.8.8.8/32 -> 10.2.1.4) and attached it to Vnet1-VMSubnet, but it seems it does not work.

-- Network detail --

Vnet1(10.1.0.0/16)

　Vnet1-GatewaySubnet(10.1.0.0/24)

　Vnet1-VMSubnet(10.1.10.0/24)---VM1(10.1.10.4)

Vnet2(10.2.0.0/16)

　Vnet2-GatewaySubnet(10.2.0.0/24)

　Vnet2-AzureFirewallSubnet(10.2.1.0/24)---Firewall(10.2.1.4)

Vnet2-VmSubnet(10.2.10.0/24)---VM2(10.2.10.4)

I would be glad to help if you have any questions or need any assistance with something specific.

Thank you!

Answer 1

Hi @Anonymous , I understand that you want to use a Firewall in another vnet where the two vnets are connected using site-to-site VPN.

See the note of UDR (user-defined route) : A next hop private IP address must have direct connectivity without having to route through Vnet Gateway or Virtual WAN. Setting the next hop to an IP address without direct connectivity results in an invalid user-defined routing configuration.

I'd recommend you replace site-to-site VPN connection between the two vnets with vnet peering. Vnet peering connects 2 vnets directly and there will be system routes created automatically. Then you can create UDR (8.8.8.8/32 -> 10.2.1.4) and attach it to Vnet1-VMSubnet.

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Answer 2

Hi @ShengChen-2218,

Thanks for contacting Microsoft Q&A platform.

To route specific IP traffic from VM1 to the internet via the firewall in Vnet2, you'll need to create a more specific User-Defined Route (UDR) in Vnet1-VMSubnet. Here's how you can do it:

1. Create a UDR: In the Azure portal, navigate to the route table associated with Vnet1-VMSubnet and create a new route with the following details:
   • Destination: 8.8.8.8/32 (or any other specific IP or IP range you want to route)
   • Next hop type: Virtual appliance
   • Next hop address: The private IP address of the firewall in Vnet2 (10.2.1.4)
2. Associate the UDR: Associate the newly created UDR with the subnet Vnet1-VMSubnet.
3. Associate the UDR: Associate the newly created UDR with the subnet Vnet1-VMSubnet.

With this configuration, any traffic from VM1 with a destination IP of 8.8.8.8 will be routed to the firewall in Vnet2 via the VPN connection between Vnet1 and Vnet2. The firewall will then handle the internet-bound traffic for that specific IP address.

Hope this helps you.