ExpressRoute with Azure routing question

Shane DT 60

Hi guys,

I currently have ExpressRoute setup (Diagram), and it's been working fine. Except for one thing: all traffic from Prod-VMs (VNET-VMs 10.10.0.0/16) to workstations at my company doesn't go through firewalls FW-01 & FW-02 in Azure. However, all traffic from the company's workstations goes through firewalls FW-01 and FW-02 before reaching Prod-VMs. Also, all outbound traffic of the Prod-VMs goes through FW01 & FW-02 before reaching the internet.

Does anyone know why Prod-VMs' traffic doesn't go through the FW01 & FW02 before reaching the Company's workstations?

User's image

KapilAnanth-MSFT 46,676 Reputation points Microsoft Employee

2024-05-15T14:20:47.24+00:00
@Shane DT ,Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to route every traffic between Spoke and OnPREM to go via the NVA (Firewall).

I see Silvia Wibowo has provided a complete summary of the configuration required.

To reiterate,

1.Under my current UDR, I already have 192.168.0.0/16, next hop is 10.11.10.5 and next hop type is VirtualAppliance. Do I need to set one for the Prod VMs subnet 192.168.14.0/24?

Don't you mean work station's range?

In the UDR attached to the subnet of the "Prod VMs" , you must have a route which is more specific than the one advertised from the OnPREM via ExpressRoute.

i.e., if OnPrem advertises individual subnets, such as "192.168.14.0/24" instead of the entire OnPrem range "192.168.0.0/16" - then you must manually add a route in the UDR to override this.

See : How Azure selects a route

2.I already have 2 rules, one is 'From Company to Azure' and the second is 'From Azure to Company'

Since you are using a 3rd party firewall (NVA), we cannot comment on this.

Just make sure the NVA is stateful,

i.e., by being stateful if "Company to Azure" traffic is allowed by your NVA - your NVA should also allow the reply traffic

And also there are rules that allow the opposite direction - "Azure to Company" so traffic can also originate in opposite direction.

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Shane DT 60 Reputation points

2024-05-17T02:18:56.81+00:00

Hi @KapilAnanth-MSFT , I'm waiting for approval to make these changes under UDR, it typically takes over a week for approval to make a change in Azure. As soon as I'm ready, I'll let you and @Silvia Wibowo know. I appreciate your outputs!
KapilAnanth-MSFT 46,676 Reputation points Microsoft Employee

2024-05-20T04:32:19.1133333+00:00

@Shane DT ,

Sure. Please keep us posted on how this goes

1 answer

Silvia Wibowo 3,906 Reputation points Microsoft Employee

2024-05-10T00:06:45.64+00:00

Hi @Shane DT , I understand that you want Prod VMs traffic to go through Firewall before reaching Company Workstation.

Because of vNet peering between VNET-FW and Prod VMs vNet, all of your VMs in Prod VMs use a route table that has a system route entry for 192.168.14.0/24 to vNet gateway, so the traffic goes directly, without going to Firewall. For the opposite direction, as you noticed that traffic from Company Workstation goes to Firewall before going to Prod VMs, I suspect there is a route table applied on GatewaySubnet that has an entry for traffic to go to Firewall.

To get Prod VMs traffic to go through Firewall before reaching Company Workstation, you need to set UDR (User Defined Route) on your Prod VMs subnet: 192.168.14.0/24 next hop: NVA 10.11.10.5. There should be an entry in Firewall rules to allow the traffic from Prod VMs to Company Workstation - if you use a Network rule, you need to configure SNAT. Application rule will apply SNAT automatically, so you don't have to configure SNAT.

Reference: https://learn.microsoft.com/en-us/azure/firewall/snat-private-range - "By default, Azure Firewall doesn't SNAT with Network rules when the destination IP address is in a private IP address range per IANA RFC 1918 or shared address space per IANA RFC 6598. Application rules are always SNATed using a transparent proxy whatever the destination IP address."

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
Please sign in to rate this answer.
Shane DT 60 Reputation points

2024-05-10T03:24:06.8533333+00:00

.Hi @Silvia Wibowo , I just want to clarify, per your suggestion, there are 2 options below to fix this issue:

1.Set UDR (User Defined Route) on your Prod VMs subnet: 192.168.14.0/24 next hop: NVA 10.11.10.5. what does NVA stand for? Network virtual appliance?

Under my current UDR, I already have 192.168.0.0/16, next hop is 10.11.10.5 and next hop type is VirtualAppliance. Do I need to set one for the Prod VMs subnet 192.168.14.0/24?

2.There should be an entry in Firewall rules to allow traffic from Prod VMs to the Company Workstation. If you use a Network rule, you need to configure SNAT. The application rule will apply SNAT automatically, so you don't have to configure SNAT.

=> I already have 2 rules, one is 'From Company to Azure' and the second is 'From Azure to Company'

Do I need to do both or just pick one option above?

Thanks.

Silvia Wibowo 3,906 Reputation points Microsoft Employee

2024-05-10T04:37:38.69+00:00

Hi @Shane DT ,

NVA = Network Virtual Appliance.

If your vNet Gateway has a route for 192.168.14.0/24, then longest prefix match will apply - this route matches longer prefix compared to 192.168.0.0/16. To override that route, make a route in your UDR with the same prefix match (192.168.14.0/24 to VirtualAppliance 10.11.10.5). If multiple routes contain the same address prefix, Azure selects the route type, UDR is prioritized.

Are your Firewall rules using the type Network or Application? Note that Network rules require SNAT.

You need both: #1 is for routing, #2 is for Firewall rules.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

ExpressRoute with Azure routing question

1 answer

Your answer