I want to set-up forced tunneling in Azure. All traffic destined to internet should be routed to on-prem and exit to internet from there. As far as i understand i need to advertise default route via BGP in Azure so that it replaces internet default route and send everything to on-prem via Express route. Then i make UDRs 0.0.0.0/0 next hop to NVA Cisco firewall on all subnets in Azure. All traffic from Azure subnets will go to NVA and from there it will be routed to on-prem or to another vNET. Question is what about the traffic coming from on-prem to Azure ? I want that traffic to also go through NVA cisco firewall. How could it be done as gateway subnet do not support 0.0.0.0/0 UDRs with Express route setup.

Hello @Mateen Baig , Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well. Your initial understanding of the setup is correct. You will have to advertise a default route of 0.0.0.0/0 via BGP from your on-premises to Azure, so that all your Azure traffic is sent to your on-premises via the ExpressRoute. And in order to filter all that traffic by an NVA, you can add a UDR with 0.0.0.0/0 on all the subnets (except the NVA subnet) with next hop as your Cisco Firewall NVA. This setup will take care of the routing from Azure to on-prem which will go as below: All subnets --> Cisco NVA --> ExpressRoute gateway --> On-premises. Now coming back to your question on what about the return traffic, yes GatewaySubnet do not support 0.0.0.0/0 UDRs but it supports UDRs with other address prefixes. Hence, you can add a UDR to the ExpressRoute GatewaySubnet with the address prefix of your Vnet range with next hop type Virtual Appliance and IP address of your Cisco NVA. This will make sure that any traffic that comes from your on-premises for your Azure Vnet range, when reaches your ExpressRoute gateway will be forwarded to the Cisco NVA. For example : If your Vnet address range is 10.0.0.0/16 then you can add a UDR to your ExpressRoute GatewaySubnet as below: Address prefix : 10.0.0.0/16 --> Next hop = Virtual Appliance --> Next hop = IP address of Cisco NVA So the routing from On-prem to Azure will go as below: On-premises --> ExpressRoute gateway --> Cisco NVA --> All subnets. Kindly let us know if the above helps or you need further assistance on this issue. ---------------------------------------------------------------------------------------------------------------- Please " Accept the answer " if the information helped you. This will help us and others in the community as well.

Azure Express route forced-tunneling with NVA

Accepted answer

GitaraniSharma-MSFT 49,356 Reputation points Microsoft Employee

2021-09-28T14:26:24.983+00:00

Hello @Mateen Baig ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

Your initial understanding of the setup is correct.
You will have to advertise a default route of 0.0.0.0/0 via BGP from your on-premises to Azure, so that all your Azure traffic is sent to your on-premises via the ExpressRoute. And in order to filter all that traffic by an NVA, you can add a UDR with 0.0.0.0/0 on all the subnets (except the NVA subnet) with next hop as your Cisco Firewall NVA.

This setup will take care of the routing from Azure to on-prem which will go as below:
All subnets --> Cisco NVA --> ExpressRoute gateway --> On-premises.

Now coming back to your question on what about the return traffic, yes GatewaySubnet do not support 0.0.0.0/0 UDRs but it supports UDRs with other address prefixes.
Hence, you can add a UDR to the ExpressRoute GatewaySubnet with the address prefix of your Vnet range with next hop type Virtual Appliance and IP address of your Cisco NVA. This will make sure that any traffic that comes from your on-premises for your Azure Vnet range, when reaches your ExpressRoute gateway will be forwarded to the Cisco NVA.

For example : If your Vnet address range is 10.0.0.0/16 then you can add a UDR to your ExpressRoute GatewaySubnet as below:
Address prefix : 10.0.0.0/16 --> Next hop = Virtual Appliance --> Next hop = IP address of Cisco NVA
So the routing from On-prem to Azure will go as below:
On-premises --> ExpressRoute gateway --> Cisco NVA --> All subnets.

Kindly let us know if the above helps or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.

2 people found this answer helpful.
Mateen Baig 71 Reputation points

2021-09-29T07:51:56.357+00:00

very well explained. will try....Thankyou .. I have NVA behing ILB. hope this will work fine in that setup too ?

Mateen Baig 71 Reputation points

2021-09-29T08:34:28.317+00:00

what if i want traffic to my NVA management subnet go directly ? How will UDR look like ? will it be like destination mgmt subnet next-hop virtual network or the gateway ip address of the management subnet ?

GitaraniSharma-MSFT 49,356 Reputation points Microsoft Employee

2021-09-29T15:05:09.897+00:00

Hello @Mateen Baig ,

Could you please explain this query a bit further? Which traffic are you referring to here & from where?

Regards,
Gita

Mateen Baig 71 Reputation points

2021-09-30T08:10:56.037+00:00

I have NVA in another management subnet behind internal loadbalancer. On-prem FMC needs to talk to NVA which is a Cisco FTD. With a route to NVA on gateway-subnet all traffic including to NVA management subnet was going towards NVA interface. I applied a more specific route for managment NVA subnet with next hop virtual network. This seems to be working fine.

I noticed that routing to bigger subnets is not working like /16. it works fine as i apply routing to more specific subnets /24. If i have many /24 subnets in a vnet then a route towards all of them with /16 should work fine ?

second question is that after advertising default route to Azure if i want to restrict some traffic going to on-prem networks what type of UDR can be applied in Azure? network with next-hop NONE is for this purpose ?

GitaraniSharma-MSFT 49,356 Reputation points Microsoft Employee

2021-09-30T15:59:04.23+00:00

Hello @Mateen Baig ,

As per Azure Vnet traffic routing, if multiple routes contain the same address prefix, Azure selects the route type, based on the following priority:
User-defined route > BGP route > System route

Which means UDRs are always preferred no matter what other routes the subnet has but if 2 UDRs have similar routes, Azure selects a route based on the destination IP address, using the longest prefix match algorithm.
For example, a route table has two routes: One route specifies the 10.0.0.0/24 address prefix, and the other 10.0.0.0/16 address prefix. To reach 10.0.0.5, Azure selects route with 10.0.0.0/24 address prefix, because 10.0.0.0/24 is a longer prefix than 10.0.0.0/16, even though 10.0.0.5 is within both address prefixes.

So, as long as you do not have similar routes, you can use /16 but also make sure that the /16 address space that you define doesn't include the NVA subnet where the NVA (next hop) is deployed or else it will result in routing loops.
Reference : https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview#user-defined

Yes, if you want to restrict some subnet traffic going to on-premises, then you can add a UDR with the on-premises address prefix with next hop NONE to that subnet. None is specified when you want to drop traffic to an address prefix, rather than forwarding the traffic to a destination.

Regards,
Gita

Mateen Baig 71 Reputation points

2021-10-04T13:45:31.717+00:00

Thankyou for the detailed answer. One thing is still not clear about UDRs:
take this flow
All subnets --> Cisco NVA (ILB/FW)--> ExpressRoute gateway --> On-premises.

ICMP traffic from Azure VM to on-premises resource is working fine going through the firewall as intended but when i change the destination port f.eks TCP 4040. it goes directly to on-premises resource bypassing the firewall. Can not understand why it is so. Have also tried /32 UDR to resource. Route propogation on the subnet is OFF so it does not have a direct route to on-premises routes. Have checked the effective routes.

Next hop shows the correct NVA IP of ILB. Azure connection troubleshoots also reflects the same. Correct path while using ICMP but going directly with any other port.

I am actually trying to use an on-premises proxy server for internet traffic instead of routing a default route in Azure as previously discussed.
note : the on-prem proxy server is using an ip address from public ip range.

GitaraniSharma-MSFT 49,356 Reputation points Microsoft Employee

2021-10-06T06:39:19.143+00:00

Hello @Mateen Baig ,

I won't be able to confirm the cause of this issue without checking your setup.

Could you please send us an email as requested over the private message?

Regards,
Gita Sharma

Mateen Baig 71 Reputation points

2021-10-07T12:35:52.243+00:00

Tested a bit more about this issue. Looks like traffic is actually passing through the Cisco NVA but somehow not visible in event logs. Azure Connection troubleshoot is also not showing the correct path. I added a block rule in Cisco NVA which showed the event logs and blocked the traffic too.

GitaraniSharma-MSFT 49,356 Reputation points Microsoft Employee

2021-10-07T13:19:03.643+00:00

Thank you for the update, @Mateen Baig .

Please let us know if you need any further assistance on this issue.

Regards,
Gita

ka_admin 21 Reputation points

2021-11-30T12:50:37.537+00:00

Hi Sharma,

The case above depicts the scenario we have. But in our case, we use a Palo Alto NVA behind a ILB. All routing looks fine, but the return traffic doesn't go through the Palo NVA with this setup...

Azure to On-prem works fine like this:
Subnets --> ILB -> Palo NVA -> ExpressRoute gateway --> On-Premises

The routing from On-prem to Azure should go as below:
On-premises --> ExpressRoute gateway --> ILB -> Palo NVA --> All subnets.

Instead it goes like this, causing asymmetric traffic flow:
On-premises --> ExpressRoute gateway --> All subnets

What could be the problem??

Mateen Baig 1 Reputation point

2021-11-30T13:10:46.637+00:00

you need a route on gateway subnet pointing to ILB. note: 0.0.0.0 route is not supported on gateway subnet. You have to provide dst vNet addr prefixes.

GitaraniSharma-MSFT 49,356 Reputation points Microsoft Employee

2021-11-30T14:05:37.513+00:00

Hello @ka_admin ,

As @Mateen Baig mentioned, you need a add a route table on gateway subnet with a route pointing to ILB. Note: 0.0.0.0 route is not supported on gateway subnet, so, you have to provide the destination Vnet address prefixes in that route.

Regards,
Gita
Sign in to comment

Share via

Azure Express route forced-tunneling with NVA

0 additional answers