![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 35%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
678 questions
Hello @MDavis ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you have a working ExpressRoute connection between Azure and your on-premises and are in the process of deploying Azure Firewall which should inspect the to and fro traffic between Azure and on-premises. Please correct me if my understanding is incorrect.
For Azure to On-premise traffic:
To filter all the traffic going out of Azure by the firewall, you can add a UDR with 0.0.0.0/0 on all the subnets (except the Firewall subnet) with next hop as your Azure Firewall.
This setup will take care of the routing from Azure to on-prem which will go as below:
All subnets --> Azure firewall --> ExpressRoute gateway --> On-premises.
NOTE : Azure Firewall must have direct Internet connectivity. If your AzureFirewallSubnet learns a default route to your on-premises network via BGP, you must override this with a 0.0.0.0/0 UDR with the NextHopType value set as Internet to maintain direct Internet connectivity or stop advertising the default route from on-prem. Post this you can filter the outbound traffic within the Azure Firewall according to your needs by configuring network rules.
Refer : https://learn.microsoft.com/en-us/azure/firewall/firewall-faq#is-forced-tunneling-chaining-to-a-network-virtual-appliance-supported
For return On-premise to Azure traffic:
GatewaySubnet do not support 0.0.0.0/0 UDRs but it supports UDRs with other address prefixes.
Hence, you can add a UDR to the ExpressRoute GatewaySubnet with the address prefix of your Vnet range with next hop type Virtual Appliance and IP address of your Azure firewall. This will make sure that any traffic that comes from your on-premises for your Azure Vnet range, when reaches your ExpressRoute gateway will be forwarded to the firewall for scanning.
NOTE : Propagate gateway routes should be set to "Enabled" on the GatewaySubnet to ensure availability of the gateway and to propagate your on-premises routes to the network interfaces in the subnet.
For example : If your Vnet address range is 10.0.0.0/16 then you can add a UDR to your ExpressRoute GatewaySubnet as below:
Address prefix : 10.0.0.0/16 --> Next hop = Virtual Appliance --> Next hop = IP address of Azure Firewall
So the routing from On-prem to Azure will go as below:
On-premises --> ExpressRoute gateway --> Azure firewall --> All subnets.
Kindly let us know if the above helps or you need further assistance on this issue.
----------------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 67%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJB%3C/text%3E%3C/svg%3E)
