Azure Firewall Routes in a Virtual WAN secured hub

Lior Elayev 61 Reputation points
2022-11-10T15:53:18.077+00:00

Hi,
I deployed the following architecture in Azure:
259124-securehub.png

I want to reach from vNIC1 (10.25.14) to vNIC2 (10.26.1.4).
I see that the routing from vNIC1 goes to Azure FW, the question is where can I see the routing from Azure FW to vNIC2? As you can see all the effective routes of the HUB goes through the Azure FW.
In practice, I manage to reach from vNIC1 to vNIC2 via the Azure FW but I want to know how this routing works from end to end.
Thank you.

Azure Virtual WAN
Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
202 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
612 questions
0 comments No comments
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 49,401 Reputation points Microsoft Employee
    2022-11-11T11:28:28.61+00:00

    Hello @Lior Elayev ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you have deployed a secured virtual wan hub to route traffic between 2 Vnets via Azure Firewall and the traffic is going through fine but would like to know how this routing works end to end.

    The routing capabilities in a virtual hub are provided by a router that manages all routing between gateways using Border Gateway Protocol (BGP). A virtual hub can contain multiple gateways such as a Site-to-site VPN gateway, ExpressRoute gateway, Point-to-site gateway, Azure Firewall. This router also provides transit connectivity between virtual networks that connect to a virtual hub.
    Refer : https://learn.microsoft.com/en-us/azure/virtual-wan/about-virtual-hub-routing

    A secured virtual hub is an Azure Virtual WAN Hub with associated security and routing policies configured by Azure Firewall Manager. You can use a secured virtual hub to filter traffic between virtual networks (V2V), virtual networks and branch offices (B2V) and traffic to the Internet (B2I/V2I). A secured virtual hub provides automated routing. There's no need to configure your own UDRs (user defined routes) to route traffic through your firewall.

    Using Azure Firewall manager, you can now can set up your network in a much simpler manner with Routing Intent and Routing Policies for public and private traffic.

    Routing Intent and Routing policies allow you to specify how the Virtual WAN hub forwards Internet-bound and Private (Point-to-site, Site-to-site, ExpressRoute, Network Virtual Appliances inside the Virtual WAN Hub and Virtual Network) Traffic. There are two types of Routing Policies: Internet Traffic and Private Traffic Routing Policies.

    When a Private Traffic Routing Policy is configured on a Virtual WAN hub, all branch and Virtual Network traffic in and out of the Virtual WAN Hub including inter-hub traffic will be forwarded to the Next Hop Azure Firewall resource or Network Virtual Appliance resource that was specified in the Private Traffic Routing Policy.

    Refer : https://learn.microsoft.com/en-us/azure/firewall-manager/secured-virtual-hub
    https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-routing-policies

    If you refer the below tutorial which shows your architecture, you can see that the below steps are done to achieve the spoke to spoke or Vnet to Vnet connectivity:
    https://learn.microsoft.com/en-us/azure/firewall-manager/secure-cloud-network

    1. The hub and spoke Vnets are peered using Virtual network connections.
    2. A firewall policy is created with a network rule to allow the connection between both the VMs/NICs in the spoke Vnets.
    3. Routing Intent and Routing policies are configured in the Azure Firewall manager to ensure that network traffic gets routed through the Azure firewall.

    As a stateful service, Azure Firewall completes a TCP three-way handshake for allowed traffic, from a source to the destination. For example, VNet-A to VNet-B.
    Refer : https://learn.microsoft.com/en-us/azure/firewall/rule-processing#three-way-handshake-behavior

    You can monitor Azure Firewall using firewall logs. You can also use Azure Firewall Workbook which provides a flexible canvas for Azure Firewall data analysis.
    To enable diagnostic logging for Azure Firewall : https://learn.microsoft.com/en-us/azure/firewall/firewall-diagnostics

    You can then check the network rule logs, which is saved to a storage account, streamed to Event hubs and/or sent to Azure Monitor logs per your selected configuration.
    Refer : https://learn.microsoft.com/en-us/azure/firewall/logs-and-metrics

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


0 additional answers

Sort by: Most helpful