Share via

How to route all S2S VPN traffic from on-prem to subnets through Azure firewall, without specifying every IP range in route table

Carsten 21 Reputation points
2022-12-12T08:38:18.81+00:00

In our Azure tenant we have a Azure Firewall and a Virtual Network Gateway with VPN connections to our customers. I want to route all incoming VPN traffic through the Azure Firewall, so that I can allow only certain subnets to be reached from certain VPN connections by setting network rules in the firewall.

However, we have a hub-spoke topology and many spokes are peered with the hub network that the Virtual Network Gateway is deployed on. In order to route all traffic to these spokes through the firewall I would need to add a UDR to the route table associated with the GatewaySubnet for each spoke. And if I add a spoke and then forget to add it to the route table then it will skip the firewall.

Is there any way to make sure all traffic always goes through the firewall? Changes to network topology or services used would also be an option. Ideally I'd like also to not advertise all routes to each VPN connection, yet still have shared Virtual Network Gateway.

I tried setting a UDR for 10.0.0.0/8 that covers all of our spokes (also future spokes) but this seems not to have any effect since the system routes that are automatically added for each peered network are e.g. 10.0.0.0/16 and thus used instead of my UDR because they have a longer matching prefix. The working solution I have now is to add a UDR for the IP range of each spoke, but then I have the problem that by default new spokes will be accessible without going through the firewall.

Azure VPN Gateway
Azure VPN Gateway

An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.

Azure Firewall
Azure Firewall

An Azure network security service that is used to protect Azure Virtual Network resources.

0 comments
Answer accepted by question author
  1. KapilAnanth 49,866 Reputation points Moderator
    2022-12-12T09:47:55.127+00:00

    Hi @Carsten ,

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
    I understand that you would like to all Azure bound traffic to Azure Firewall from VPN Gateway without specifying individual routes.

    I am afraid this won't be feasible without introducing additional components.
    As you can see, Azure always prefers the longest prefix match. /24 would always take precedence over a /16.

    You can consider using Azure vWAN Secure Hub
    This will automatically add and update routes as Peers are introduced in the network.

    However, this would require you to re-architect your current environment and deploy the Firewall into the vHub

    The other way to achieve this is by using BGP, Azure Route Server and a NVA that supports BGP sessions with ASR.
    Refer: Azure Route Server support for ExpressRoute and Azure VPN

    But this would require you to deploy a 3rd party NVA to act as the Firewall.

    Hope this helps.

    Cheers,
    Kapil.

    ----------------------------------------------------------------------------------------------------------------

    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.