Hub & Spoke - P2S VPN Traffic via Azure Firewall

devopsfj 201

Is the following scenario supported?

We have 3 Virtual Networks:

VNET-01-UKSOUTH-PROD

VNET-01-UKWEST-PROD

VNET-02-UKWEST-PROD

VNET-01-UKSOUTH-PROD & VNET-01-UKWEST-PROD are peered.

VNET-01-UKWEST-PROD & VNET-02-UKWEST-PROD are peered.

VNET-01-UKSOUTH-PROD & VNET-02-UKWEST-PROD are NOT peered.

I need to be able to control the AKS private cluster in VNET-02-UKWEST-PROD from the P2S VPN in VNET-01-UKSOUTH-PROD. Is there anyway I can route traffic through both Firewalls to achieve this, is this a supported scenario.

Please find below diagram, the arrows in red is what I am trying to achieve.

User's image

Priya Kumar 0 Reputation points

2024-05-08T11:28:41.88+00:00

Hello @devopsfj,

Thanks for reaching out to Microsoft Q and A platform.

Your scenario doesn't seem like the supported one below of the below explanation:

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing#multipeered

Multiple peered VNets:

In this example, the Point-to-Site VPN gateway connection is for VNet1. VNet1 is peered with VNet2. VNet 2 is peered with VNet3. VNet1 is peered with VNet4. There is no direct peering between VNet1 and VNet3. VNet1 has “Allow gateway transit” and VNet2 and VNet4 have “Use remote gateways” enabled.

Clients using Windows can access directly peered VNets, but the VPN client must be downloaded again if any changes are made to VNet peering or the network topology. Non-Windows clients can access directly peered VNets. Access isn't transitive and is limited to only directly peered VNets.

Multiple peered VNets

Address space: VNet1: 10.1.0.0/16

VNet2: 10.2.0.0/16

VNet3: 10.3.0.0/16

VNet4: 10.4.0.0/16

Routes added: Routes added to Windows clients: 10.1.0.0/16, 10.2.0.0/16, 10.4.0.0/16, 192.168.0.0/24

Routes added to non-Windows clients: 10.1.0.0/16, 10.2.0.0/16, 10.4.0.0/16, 192.168.0.0/24

Access: Windows clients can access VNet1, VNet2, and VNet4, but the VPN client must be downloaded again for any topology changes to take effect.

Non-Windows clients can access VNet1, VNet2, and VNet4
devopsfj 201 Reputation points

2024-05-08T11:37:16.27+00:00

Hi,

This scenario seems different, they are talking about using peers.

I was wondering if it is possible when using Azure Firewall?

Kind Regards,

James
Priya Kumar 0 Reputation points

2024-05-09T06:48:27.1733333+00:00

Hello @devopsfj ,

The challenge from the above setup is that, how the on-premises client knows how to forward the traffic destination to the AKS subnet via the Firewall.

Because when you try to download the VPN client, it has routes of the immediate Vnet Peering.

In this case it's not aware of the AKS subnet.

Could you try to add the routes on the Client package if the P2S?

Or share us the output of the route print from the point to Site client?

Regards,

Priya Kumar
devopsfj 201 Reputation points

2024-05-10T09:05:13.8966667+00:00

Hi @KapilAnanth-MSFT

I managed to get it working with the Firewall routing you mentioned above!

Thanks for the help.
KapilAnanth-MSFT 46,676 Reputation points Microsoft Employee

2024-05-10T09:10:16.1233333+00:00

@devopsfj ,

You are most welcome and glad we could be of assistance.

I have summarized our discussion and converted it to an answer.

I would highly appreciate if you could Accept the answer and upvote the same.

Original posters help the community find answers faster by identifying the correct answer.

Thanks,

Kapil

Accepted answer

KapilAnanth-MSFT 46,676 Reputation points Microsoft Employee

2024-05-08T11:42:15.03+00:00
@devopsfj ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

This should be doable provided that the UDR configurations and the VPN Gateway configurations are correct.

Your exact/similar archietcture is documented here : Use Azure Firewall to route a multi hub and spoke topology.

Firewall Configuration,

In VNET-01-UKSOUTH-PROD Firewall's Subnet, make sure you add the address prefix of the VNET-02-UKWEST-PROD and nextHop as the IP of VNET-01-UKWEST-PROD Firewall

In VNET-01-UKWEST-PROD Firewall's Subnet, make sure you add the address prefix of the P2S VPN Client Pool and nextHop as the IP of VNET-01-UKSOUTH-PROD Firewall

AKS Subnet Configuration,

Make sure there is a route table attached and add the address prefix of the P2S VPN Client Pool and nextHop as the IP of VNET-01-UKWEST-PROD Firewall

VPN Gateway Configuration,

In the GatewaySubnet, attach a route table with VNET-02-UKWEST-PROD and nextHop as the IP of VNET-01-UKSOUTH-PROD Firewall

Also, you must advertise the VNET-02-UKWEST-PROD to the P2S Clients.

This can be done by : Advertise custom routes for P2S VPN clients.

I'd suggest you deploy a VM in the VNET-01-UKSOUTH-PROD VNET first and make sure this has connectivity to the AKS first, then proceed to test this with P2S Clients.

As the document I shared primarily covers this scenario and you can validate the configuration.

And it will help you troubleshoot further with P2S Setup.

Hope this helps.

Cheers,

Kapil
Please sign in to rate this answer.

1 person found this answer helpful.
devopsfj 201 Reputation points

2024-05-08T12:25:19.3566667+00:00

Hi @KapilAnanth-MSFT

I followed the exact steps, I was only missing one route anyway, but the same issue occurs, I cannot connect.

I have added a rule on the Firewall in UKSouth to allow the traffic as-well from the P2S VPN (172.16.0.0/24) to VNET-02-UKWEST-PROD.

Do I need one on the UKWest Firewall to allow the traffic back? I do not think I need this as this is just for the route back.

I have other resources in VNET-01-UKSOUTH-PROD (Virtual Machine Scale Set) connecting to resources in VNET-02-UKWEST-PROD (KV, Storage) using the same routes which makes me think this isn't supported.

KapilAnanth-MSFT 46,676 Reputation points Microsoft Employee

2024-05-09T08:01:22.15+00:00

@devopsfj ,

We can check Priya Kumar's points as well.

From the VPN Client, you can see the advertised routes to the P2S Client.

Once connected, you should be able to see the routes in the app.

Also, you can check route print once connecting to the VPN

Wrt, "Do I need one on the UKWest Firewall to allow the traffic back? I do not think I need this as this is just for the route back."

Correct, allow rule for a return traffic is not required.

Wrt, "I have other resources in VNET-01-UKSOUTH-PROD (Virtual Machine Scale Set) connecting to resources in VNET-02-UKWEST-PROD (KV, Storage) using the same routes which makes me think this isn't supported."

Thanks for sharing this, this proves that routing between resources in VNET-01-UKSOUTH-PROD to VNET-02-UKWEST-PROD is working fine.

However, the same cannot be said for VPNGateway of VNET-01-UKSOUTH-PROD

Ideally, additional routes propagation in P2S should work.

Please run the tests as I mentioned, and make sure both the VNET-01-UKWEST-PROD and VNET-02-UKWEST-PROD routes are added and is learnt (in the P2S Client)

Cheers,

Kapil.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Hub & Spoke - P2S VPN Traffic via Azure Firewall

0 additional answers

Your answer