hi My environment is an on-premises expressroute BGP is advertising 0.0.0.0/0. I want to use Azure Firewall to control all traffic (including internet). See and discuss the architecture picture attached below. My guess is that we need to send the route “172.16.0.0/16” to the Expressroute gateway from the UDR connected to the Azure Firewall subnet to the on-premises. But according to the documentation below, you can't set up a UDR to point to the Expressroute gateway. https://learn.microsoft.com/ko-kr/azure/virtual-network/virtual-networks-udr-overview#custom-routes I question if this is possible. I would like your knowledge or ideas. Thank you. Status On-premises and Azure are connected by an expressroute. Advertise 0.0.0.0/0 in on-premises BGP. Azure Firewall forced tunneling disable. Conditions All traffic from on-premises passes through Azure Firewall. Traffic from all virtual networks to on-premises passes through Azure Firewall. Traffic between all virtual networks passes through Azure Firewall. Traffic from your virtual network to the internet passes through Azure Firewall. Problem Communication between virtual networks is controlled by the Azure firewall. Communication from the virtual network to the Internet is controlled by Azure firewall. No communication with on-premises.

Hi romero , Thank you for reaching out to us on the Microsoft Q&A forum. As an original poster cannot accept their own answer, I am reposting it so that you can accept it an answer. Accepted answer will help other community members navigate to the appropriate solutions. Issue: On-premises express route BGP is advertising 0.0.0.0/0 and using Azure Firewall to control traffic (including internet). Solution: I'm trying to understand that there is no better way to do this other than to fix it with the correct BGP on-premises and move on. Yes , there is a solution to the above concern, so I recommend you correct it from the On-premises end. Remember to " Accept Answer " so that others in the community who are experiencing similar challenges can easily find a solution. Your contribution is greatly appreciated. Regards, Ganesh

On-premises expressroute BGP is advertising 0.0.0.0/0 and using Azure Firewall to control traffic (including internet)

romero 125

My environment is an on-premises expressroute BGP is advertising 0.0.0.0/0.

I want to use Azure Firewall to control all traffic (including internet).

See and discuss the architecture picture attached below.

My guess is that we need to send the route “172.16.0.0/16” to the Expressroute gateway from the UDR connected to the Azure Firewall subnet to the on-premises.

But according to the documentation below, you can't set up a UDR to point to the Expressroute gateway.

https://learn.microsoft.com/ko-kr/azure/virtual-network/virtual-networks-udr-overview#custom-routes

User's image

I question if this is possible.

I would like your knowledge or ideas.

Thank you.

Status

On-premises and Azure are connected by an expressroute.
Advertise 0.0.0.0/0 in on-premises BGP.
Azure Firewall forced tunneling disable.

Conditions

All traffic from on-premises passes through Azure Firewall.
Traffic from all virtual networks to on-premises passes through Azure Firewall.
Traffic between all virtual networks passes through Azure Firewall.
Traffic from your virtual network to the internet passes through Azure Firewall.

Problem

Communication between virtual networks is controlled by the Azure firewall.
Communication from the virtual network to the Internet is controlled by Azure firewall.
No communication with on-premises.

Ganesh Patapati 810 Reputation points Microsoft Vendor

2024-09-18T16:39:42.69+00:00
Hi romero,

Welcome to Microsoft's Q&A platform! Thank you for asking this inquiry.

If it is a new configuration, take downtime to make any routing modifications.

And you mentioned Advertise 0.0.0.0/0 in on-premises BGP, why are you routing these via on-premises BGP?

I propose you only advertise On-premises address space into Azure, not 0.0.0.0/0.

NOTE: My suggestion is not to do these. If you want all internet traffic to run through the Azure firewall, I don't see any point on advertising 0.0.0.0/0 into Azure. Avoid doing this and allow route propagation in all UDR.

You can refer to the following thread link, where it is clearly stated how the routing works, and it will help you with your question.

Refer: https://learn.microsoft.com/en-us/answers/questions/568983/azure-express-route-forced-tunneling-with-nva

Kindly let us know if the above helps or you need further assistance on this issue.

Regards,

Ganesh
romero 125 Reputation points

2024-09-18T21:08:50.36+00:00

Hi. @Ganesh Patapati

Thanks for answering my question.

I understand that this configuration seems unusual.

I was trying to send all traffic on-premise.

But as an exception, I was considering using Azure firewall to provide internet access to VMs in the virtual network.

I wonder if it is impossible by design since I can't add a route to Expressroute gateway in UDR.
Ganesh Patapati 810 Reputation points Microsoft Vendor

2024-09-19T19:19:58.6266667+00:00
Hello romero,

Good day!

What exactly are you questioning about this statement?

"I was trying to send all traffic on-premises. But, as an exception, I was thinking about using an Azure firewall to enable internet access to VMs in the virtual network,"

where we only suggested for one.

If you want to send all traffic on-premises, then advertise 0.0.0.0/0.

Or else If you want to route all internet traffic to the Azure firewall, configure UDR on subnets and the next hop as "firewall".

NOTE: And don't worry about the UDR point in the express route gateway; it won't happen and isn't required.

The fact is that both are conceivable, and we will respond based on your requirements.

It is feasible to route all traffic to on-premises.

also, all traffic to be sent via azure firewall.

Please let us know if we can be of any further assistance here.

Thanks,

Ganesh
Ganesh Patapati 810 Reputation points Microsoft Vendor

2024-09-20T12:41:14.9566667+00:00

Hello romero,

Good day!

Just checking in to see whether you got a chance to read my response to your question regarding fixing the problem.

We are happy to assist you.

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Ganesh
romero 125 Reputation points

2024-09-20T13:28:46.0533333+00:00

Error. See the comment below
romero 125 Reputation points

2024-09-20T13:40:29.2066667+00:00

Hi. @Ganesh Patapati

Thanks for your continued attention.

I would like to give some additional clarification on my current situation.

I am actually having this issue.

The only BGP route that is being provided to Expressroute and the virtual network is the following.

0.0.0.0/0 to On-premise Router IP

10.0.0.0/24 to ExpressrouteGateway IP

10.0.10.0/24 to ExpressrouteGateway IP

10.0.20.0/24 to ExpressrouteGateway IP

The subnet of the virtual network where the VM is deployed has a UDR attached to it that provides 0.0.0.0/0 to Azure Firewall.

And the 0.0.0.0/0 that is being advertised in BGP on-premises is overwriting the default 0.0.0.0/0 to internet route in AzureFirewallSubnet.

In this situation, the VM can communicate with on-premises, but not the internet.

To provide the VM with internet connectivity through Azure Firewall, you attach a UDR to AzureFirewallSubnet to provide the 0.0.0.0/0 to internet path.

In this situation, the VM is able to connect to the Internet.

But, the on-premises is not connected.

This is because all traffic from the VM to on-premises is going through the UDR to the Azure firewall, but BGP only has 0.0.0.0/0 as an advertised route for on-premises.

AzureFirewallSubnet already has the route 0.0.0.0/0 to internet by UDR.

I think the only way out of this situation now is to change the 0.0.0.0/0 that we are advertising on-premises to the detailed 172.16.0.0/16 that you guided me to in your first reply.

I'm wondering if there is another way to do this that I'm missing.

If not, I must find a way to talk to an on-premises manager.

Thank you.

Regards.
Ganesh Patapati 810 Reputation points Microsoft Vendor

2024-09-20T13:54:50.8633333+00:00
Hey romero,

I think the only way out of this situation now is to change the 0.0.0.0/0 that we are advertising on-premises to the detailed 172.16.0.0/16 that you guided me to in your first reply.

Yes, there is a solution to the above concern, so I recommend you speak with the on-premises guy.

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Ganesh
romero 125 Reputation points

2024-09-21T04:08:41.6133333+00:00

@Ganesh Patapati Thank you for your support.

I'm trying to understand that there is no better way to do this other than to fix it with the correct BGP on-premises and move on.

If anyone reading this in the future can suggest a better way, please post a comment.

Have a great weekend.

Thank you.
Ganesh Patapati 810 Reputation points Microsoft Vendor

2024-09-23T10:01:40.4433333+00:00

Hello romero,

Good day!

I would like to follow up with the thread.

As an original poster cannot accept their own answer, I am reposting it so that you can "Accept it" an answer and "Upvote It". Accepted answer will help other community members navigate to the appropriate solution.

Thank you for your time, and I look forward to hearing from you.

Regards,

Ganesh

Accepted answer

Ganesh Patapati 810 Reputation points Microsoft Vendor

2024-09-23T09:42:53.09+00:00

Hi romero,

Thank you for reaching out to us on the Microsoft Q&A forum.

As an original poster cannot accept their own answer, I am reposting it so that you can accept it an answer. Accepted answer will help other community members navigate to the appropriate solutions.

Issue: On-premises express route BGP is advertising 0.0.0.0/0 and using Azure Firewall to control traffic (including internet).

Solution: I'm trying to understand that there is no better way to do this other than to fix it with the correct BGP on-premises and move on.

Yes, there is a solution to the above concern, so I recommend you correct it from the On-premises end.

Remember to "Accept Answer" so that others in the community who are experiencing similar challenges can easily find a solution.

Your contribution is greatly appreciated.

Regards,

Ganesh
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

On-premises expressroute BGP is advertising 0.0.0.0/0 and using Azure Firewall to control traffic (including internet)

0 additional answers

Your answer