Is it possible to route all vnet traffic back down a VPN tunnel when peered in hub and spoke

Simon Windeler 20

I have one Virtual Network Gateway in an hub network and two spoke vnets connected to it. Is it possible to route all vnet traffic down the VPN tunnel (override the gateway routes) to on-premises firewall or would it require an additional VPN to separate the routes?

Miguel Gonçalves 961 Reputation points

2024-06-12T11:24:43.9+00:00

Hi Simon,

You can create custom routes to forward traffic to firewall and fw forward on-premises traffic for VPN thar is connected to on-premises. Use Route tables.

You don't need another VPN.
KapilAnanth-MSFT 46,876 Reputation points Microsoft Employee

2024-06-12T12:01:01.76+00:00
@Simon Windeler ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

Can you please be more specific on your requirement?

Do you want to route all Internet traffic to OnPrem from the Virtual Network
or

Do you want VNet to VNet traffic to go via a Firewall in the OnPrem. (spoke to hub and hub to spoke)

Please note that the above 2 scenarios are completely different and require different configurations.

I take it that it is the former,

In that case, you should consider Forced tunneling for site-to-site configurations

Either using BGP :
You need to advertise a default route of 0.0.0.0/0 via BGP from your on-premises location to Azure so that all your Azure traffic is sent via the VPN Gateway S2S tunnel

Or using Default Site Parameter :
Use the Set-AzVirtualNetworkGatewayDefaultSite Powershell command to send all Internet traffic to the specific OnPrem site.

Hope this helps.

Cheers,

Kapil
Simon Windeler 20 Reputation points

2024-06-12T12:09:09.9133333+00:00

Hi Kapil

It's VNet to VNet traffic to go via a Firewall (CheckPoint) OnPrem. (spoke to hub and hub to spoke), Already enabled forced tunnelling, internet traffic is hitting the firewall fine but as the vnet gateway is aware of the spoke routes it keeps the traffic in Azure. I've tried creating udrs to override the routes for each spoke. So I guess the question is can I override the routes on the gateway to send the traffic back on-prem?

Thanks

Simon
Simon Windeler 20 Reputation points

2024-06-12T12:15:12.8933333+00:00

Hi Kapil

It's VNet to VNet traffic to go via a Firewall in the OnPrem (CheckPoint). (spoke to hub and hub to spoke)

I already have forced tunnelling enabled and internet traffic is hitting the on-prem firewall fine. Vnet-Vnet traffic stays in Azure due to the gateway knowing about the routes due to the peering. I've tried to override the routes to force the traffic back to the on-prem firewall. Is it possible to override the default routes from the VPN gateway? Or would you have to use BGP?

Thanks

Simon

Accepted answer

KapilAnanth-MSFT 46,876 Reputation points Microsoft Employee

2024-06-14T10:33:29.64+00:00
@Simon Windeler ,

Thanks for the info.

I am afraid this routing scenario will not be possible.

And I am not able to find any documents that describes such configurations.

If your requirement is to VNET to VNET traffic to go OnPREM firewall,

You should not use Hub-Spoke Architecture

Instead, have two VPN Gateways in each VNETs and connect the VNETs to the OnPrem

Let's call the VNETs VNET1 and VNET2

Enable BGP across VNET1 <----> OnPrem and VNET2 <----> OnPrem

Once this is done, all the traffic from VNET1 destined to VNET2 will go via OnPrem

Where you can filter the traffic via your OnPrem Firewall

Similarly, all the traffic from VNET2 destined to VNET1 will go via OnPrem

Practically, the network flow becomes,

VNET1 <----> OnPrem <----> VNET2

Where "<---->" indicates a S2S Connection.

Alternatively, my suggestion would be to deploy Azure Firewall or NVA in the Hub VNET in a Hub Spoke scenario

This way, all traffic between HubVNET and SpokeVNET would go via the Azure Firewall or NVA

Should there be any follow-up questions or concerns, please let us know and we shall try to address them.

Thanks,

Kapil
Please sign in to rate this answer.

1 person found this answer helpful.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Is it possible to route all vnet traffic back down a VPN tunnel when peered in hub and spoke

0 additional answers

Your answer