How to redirect VNET traffic that is secured by NSG into the Azure Firewall in Hub VNET?

Question

People,

I've just deployed a new Azure Firewall in a Production Subscription in Hub VNET called HUB-FW-VNET.
I've got multiple Azure Subscriptions with various different VNETs and NSGs applied.

May I know what steps do I need to take to redirect all traffic into this Hub VNET called **HUB-FW-VNET* in Azure-Production-Subscription?
The goal is for all inbound and outbound traffic from Spoke1 & 2 VNET will be filtered and going through this Azure Firewall instead of managing it individual

Like in this diagram:

Thank you in advance.

Answer 1

@EnterpriseArchitect Thank you for reaching out to Microsoft Q&A.

I understand that you want to setup a Hub and Spoke architecture with an Azure FW in the Hub and force all traffic through it.

In order to do that, you need to:

1. Peer the Hub and Spoke vnets
2. Create a UDR on the spokes to force all traffic to be sent to the Azure firewall.
3. And then for the spokes to use the hub gateway to communicate with remote networks, you must:

Configure the peering connection in the hub to allow gateway transit.
Configure the peering connection in each spoke to use remote gateways.
Configure all peering connections to allow forwarded traffic.

Here are a couple of Hub and Spoke architectures for your reference-

https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli
https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/hub-spoke-network-topology

Hope this helps. Please let us know if you have further questions/concerns and we will be glad to assist further. Thank you!

Answer 2

@SaiKishor-MSFT , would you be able to clarify the above, please?