Forcing VPN-to-ER through the firewall

Question

Forcing VPN-to-ER through the firewall

Shehzad Amir 0

Hi,

I want to ask about the below scenario. I want to inspect the traffic between the region via firewall. I want to know that the UDR attached to the GWs mark in red are legitimate or not, when i create them the type in effective route of VM NIC changes to "None" .

Just to add more details, we are using Route server in the region-1 and ER shows all the routes learned from other region as well.

User's image

GitaraniSharma-MSFT 29,161 Reputation points Microsoft Employee

2023-03-16T09:23:49.1533333+00:00

Hello @Shehzad Amir ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

Could you please clarify your ask with some more details? What is the exact requirement or if you are facing any issues?

Looking at your setup diagram, I have a few questions:

Why do you have VPN gateways and Azure Firewalls on both Vnets?

You can make use of Vnet peering and force region 2 Vnet traffic to Region1 Firewall via UDRs for inspection as shown in the below doc and simplify the setup.

Refer: https://learn.microsoft.com/en-us/azure/route-server/route-injection-in-spokes#sdwan-coexistence-with-expressroute-and-azure-firewall

Multi-region ARS design for high availability can be found in the below doc:

https://learn.microsoft.com/en-us/azure/route-server/multiregion

Regards,

Gita
Shehzad Amir 0 Reputation points

2023-03-16T10:42:26.5533333+00:00

The figure depicts only the Hub subscriptions in two different regions, there are more than 10 spoke in each region which are peered to the respective hubs, just didn't showed in the diagram for simplification. The route server is working fine and its advertising all the routes properly as i checked from the routes learned in ER gateway.

The ask here is to force the traffic needs to pass through firewall and on-prem needs to reach across region to any spoke. The problem is the UDR route which is associated with GW subnet and pointing the traffic towards remote FW private IP is not working and showing as "none" type in effective route, which means traffic will be dropped. I want to understand the UDR strategy which i have used has any issue or not and why the remote FW private IP not working as it is supposed to when set as a next hop IP address in UDR.

With the above configuration On-prem traffic can easily reach to the spokes connected to the region1 but not to region-2.
GitaraniSharma-MSFT 29,161 Reputation points Microsoft Employee

2023-03-16T13:19:46.35+00:00

@Shehzad Amir , to be honest the UDR attached to the GatewaySubnet marked in red doesn't make sense. The UDRs marked in black are enough for traffic inspection via the Firewalls. The UDRs marked in red will not work as the VPN traffic will go from the gateway 1 to gateway 2 first, and the Firewall comes after that.

If it is direct Vnet to Vnet traffic, only then such UDR will work.
GitaraniSharma-MSFT 29,161 Reputation points Microsoft Employee

2023-03-20T13:22:18.3833333+00:00

@Shehzad Amir , could you please provide an update on this post? Kindly let us know if you need further assistance on this issue.

GitaraniSharma-MSFT 29,161 Reputation points Microsoft Employee

2023-03-16T09:23:49.1533333+00:00

Hello @Shehzad Amir ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

Could you please clarify your ask with some more details? What is the exact requirement or if you are facing any issues?

Looking at your setup diagram, I have a few questions:

Why do you have VPN gateways and Azure Firewalls on both Vnets?

You can make use of Vnet peering and force region 2 Vnet traffic to Region1 Firewall via UDRs for inspection as shown in the below doc and simplify the setup.

Refer: https://learn.microsoft.com/en-us/azure/route-server/route-injection-in-spokes#sdwan-coexistence-with-expressroute-and-azure-firewall

Multi-region ARS design for high availability can be found in the below doc:

https://learn.microsoft.com/en-us/azure/route-server/multiregion

Regards,

Gita
Shehzad Amir 0 Reputation points

2023-03-16T10:42:26.5533333+00:00

The figure depicts only the Hub subscriptions in two different regions, there are more than 10 spoke in each region which are peered to the respective hubs, just didn't showed in the diagram for simplification. The route server is working fine and its advertising all the routes properly as i checked from the routes learned in ER gateway.

The ask here is to force the traffic needs to pass through firewall and on-prem needs to reach across region to any spoke. The problem is the UDR route which is associated with GW subnet and pointing the traffic towards remote FW private IP is not working and showing as "none" type in effective route, which means traffic will be dropped. I want to understand the UDR strategy which i have used has any issue or not and why the remote FW private IP not working as it is supposed to when set as a next hop IP address in UDR.

With the above configuration On-prem traffic can easily reach to the spokes connected to the region1 but not to region-2.
GitaraniSharma-MSFT 29,161 Reputation points Microsoft Employee

2023-03-16T13:19:46.35+00:00

@Shehzad Amir , to be honest the UDR attached to the GatewaySubnet marked in red doesn't make sense. The UDRs marked in black are enough for traffic inspection via the Firewalls. The UDRs marked in red will not work as the VPN traffic will go from the gateway 1 to gateway 2 first, and the Firewall comes after that.

If it is direct Vnet to Vnet traffic, only then such UDR will work.
GitaraniSharma-MSFT 29,161 Reputation points Microsoft Employee

2023-03-20T13:22:18.3833333+00:00

@Shehzad Amir , could you please provide an update on this post? Kindly let us know if you need further assistance on this issue.

Forcing VPN-to-ER through the firewall

Activity