Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
129 questions
Hello @Lior Elayev ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you have deployed a secured virtual wan hub to route traffic between 2 Vnets via Azure Firewall and the traffic is going through fine but would like to know how this routing works end to end.
The routing capabilities in a virtual hub are provided by a router that manages all routing between gateways using Border Gateway Protocol (BGP). A virtual hub can contain multiple gateways such as a Site-to-site VPN gateway, ExpressRoute gateway, Point-to-site gateway, Azure Firewall. This router also provides transit connectivity between virtual networks that connect to a virtual hub.
Refer : https://learn.microsoft.com/en-us/azure/virtual-wan/about-virtual-hub-routing
A secured virtual hub is an Azure Virtual WAN Hub with associated security and routing policies configured by Azure Firewall Manager. You can use a secured virtual hub to filter traffic between virtual networks (V2V), virtual networks and branch offices (B2V) and traffic to the Internet (B2I/V2I). A secured virtual hub provides automated routing. There's no need to configure your own UDRs (user defined routes) to route traffic through your firewall.
Using Azure Firewall manager, you can now can set up your network in a much simpler manner with Routing Intent and Routing Policies for public and private traffic.
Routing Intent and Routing policies allow you to specify how the Virtual WAN hub forwards Internet-bound and Private (Point-to-site, Site-to-site, ExpressRoute, Network Virtual Appliances inside the Virtual WAN Hub and Virtual Network) Traffic. There are two types of Routing Policies: Internet Traffic and Private Traffic Routing Policies.
When a Private Traffic Routing Policy is configured on a Virtual WAN hub, all branch and Virtual Network traffic in and out of the Virtual WAN Hub including inter-hub traffic will be forwarded to the Next Hop Azure Firewall resource or Network Virtual Appliance resource that was specified in the Private Traffic Routing Policy.
Refer : https://learn.microsoft.com/en-us/azure/firewall-manager/secured-virtual-hub
https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-routing-policies
If you refer the below tutorial which shows your architecture, you can see that the below steps are done to achieve the spoke to spoke or Vnet to Vnet connectivity:
https://learn.microsoft.com/en-us/azure/firewall-manager/secure-cloud-network
- The hub and spoke Vnets are peered using Virtual network connections.
- A firewall policy is created with a network rule to allow the connection between both the VMs/NICs in the spoke Vnets.
- Routing Intent and Routing policies are configured in the Azure Firewall manager to ensure that network traffic gets routed through the Azure firewall.
As a stateful service, Azure Firewall completes a TCP three-way handshake for allowed traffic, from a source to the destination. For example, VNet-A to VNet-B.
Refer : https://learn.microsoft.com/en-us/azure/firewall/rule-processing#three-way-handshake-behavior
You can monitor Azure Firewall using firewall logs. You can also use Azure Firewall Workbook which provides a flexible canvas for Azure Firewall data analysis.
To enable diagnostic logging for Azure Firewall : https://learn.microsoft.com/en-us/azure/firewall/firewall-diagnostics
You can then check the network rule logs, which is saved to a storage account, streamed to Event hubs and/or sent to Azure Monitor logs per your selected configuration.
Refer : https://learn.microsoft.com/en-us/azure/firewall/logs-and-metrics
Kindly let us know if the above helps or you need further assistance on this issue.
----------------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.