NVA firewalls in availability set, how to prefer one over the other for outbound traffic

Steven Johnston 40

I have a standard load balancer sandwich design, with two NVA firewalls in an availability set, with spoke vNets peered to the NVA vNet. UDR's have static routing towards the internal load balancer. it all works well enough

I have a requirement to prefer one firewall over the other for outbound traffic to specific destinations from the spoke vNets without using static routing on the UDR. It looks like the internal load balancer doesn't have the functionality to add "weight" to a particular member of the backend pool.

I tried deploying a route server in vnet-hub but it's incompatible with the virtual wan hub peering in this design

Are there any other Azure mechanisms i can use to achieve what i am looking for?

User's image

Silvio Lorenzo Torre 0 Reputation points

2023-08-26T16:57:43.0233333+00:00

Maybe you can consider forced tunneling and Source Network Address Translation (SNAT).
By implementing SNAT on the NVA, you might be able to manipulate the routing and decide which of your NVA firewalls will be the "preferred" one for handling traffic from specific sources.

Hope can be helpful
KapilAnanth-MSFT 46,681 Reputation points Microsoft Employee

2023-08-28T12:43:09.6533333+00:00
@Steven Johnston

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

Looking at your requirement, I believe this will not be feasible.

You must use UDRs if you'd like to prioritize one NVA over the other for routing.

What you can do is,

Consider using Configure BGP peering between NVA and vHUB

And connect VNETs vnet1 and vnet2 to the vHUB

This way, you can control routing via BGP

Cheers,

Kapil
Steven Johnston 40 Reputation points

2023-08-28T15:08:23.8933333+00:00

If i peered the NVA to the vWan with BGP, the peered the spoke vNet with the vWan wouldn't that then populate the routing tables of the devices in the spoke vNet with the vWan learned routes?
KapilAnanth-MSFT 46,681 Reputation points Microsoft Employee

2023-08-29T05:07:04.9233333+00:00

@Steven Johnston

Yes it will.

The Spoke VNETs will learn the routes from vWAN if you are to connect them to the vHUB.

However, you can use Route Tables and Custom Routing to control the addresses learned from and advertised to the Spoke VNETs.

Please note that multi-hub scenario is not a recommended approach and not all features may work seamlessly when you do so.

Of course, this would require you to revamp your architecture and this in turn, requires you to configure/revamp routing considerations as well.

Cheers,

Kapil
Steven Johnston 40 Reputation points

2023-08-29T17:23:04.8566667+00:00

thank you, i didn't realise you already suggested what i said.
KapilAnanth-MSFT 46,681 Reputation points Microsoft Employee

2023-08-29T17:50:47.7233333+00:00

@Steven Johnston

You are welcome.

I shall summarize my comments and post it as an answer.

While we wait for other community members to add their insights, I would highly appreciate if you could Accept the answer and close this thread

Original posters help the community find answers faster by identifying the correct answer.

Thanks,

Kapil
KapilAnanth-MSFT 46,681 Reputation points Microsoft Employee

2023-08-31T09:16:58.57+00:00

@Steven Johnston

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Accepted answer

KapilAnanth-MSFT 46,681 Reputation points Microsoft Employee

2023-08-29T17:53:24.5066667+00:00
@Steven Johnston

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

Looking at your requirement, I believe this will not be feasible without requiring to revamp your architecture.

With current architecture,

You must use UDRs if you'd like to prioritize one NVA over the other for routing.

What you can do is,

Consider using Configure BGP peering between NVA and vHUB

And connect VNETs vnet1 and vnet2 to the vHUB

This way, you can control routing via BGP

To control the addresses learned from and advertised to the Spoke VNETs,

You should consider using Route Tables and Custom Routing with vHUB

Kindly let us know if you need further assistance on this issue.

Cheers,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

NVA firewalls in availability set, how to prefer one over the other for outbound traffic

0 additional answers

Your answer