Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,379 questions
Forcing VPN-to-ER through the firewall
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 66%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESA%3C/text%3E%3C/svg%3E)
Shehzad Amir
20
Reputation points
Hi,
I want to ask about the below scenario. I want to inspect the traffic between the region via firewall. I want to know that the UDR attached to the GWs mark in red are legitimate or not, when i create them the type in effective route of VM NIC changes to "None" .
Just to add more details, we are using Route server in the region-1 and ER shows all the routes learned from other region as well.
{count} votes
-
GitaraniSharma-MSFT 47,086 Reputation points Microsoft Employee2023-03-16T09:23:49.1533333+00:00 Hello @Shehzad Amir ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
Could you please clarify your ask with some more details? What is the exact requirement or if you are facing any issues?
Looking at your setup diagram, I have a few questions:
Why do you have VPN gateways and Azure Firewalls on both Vnets?
You can make use of Vnet peering and force region 2 Vnet traffic to Region1 Firewall via UDRs for inspection as shown in the below doc and simplify the setup.
Multi-region ARS design for high availability can be found in the below doc:
https://learn.microsoft.com/en-us/azure/route-server/multiregion
Regards,
Gita
-
Shehzad Amir 20 Reputation points
2023-03-16T10:42:26.5533333+00:00 The figure depicts only the Hub subscriptions in two different regions, there are more than 10 spoke in each region which are peered to the respective hubs, just didn't showed in the diagram for simplification. The route server is working fine and its advertising all the routes properly as i checked from the routes learned in ER gateway.
The ask here is to force the traffic needs to pass through firewall and on-prem needs to reach across region to any spoke. The problem is the UDR route which is associated with GW subnet and pointing the traffic towards remote FW private IP is not working and showing as "none" type in effective route, which means traffic will be dropped. I want to understand the UDR strategy which i have used has any issue or not and why the remote FW private IP not working as it is supposed to when set as a next hop IP address in UDR.
With the above configuration On-prem traffic can easily reach to the spokes connected to the region1 but not to region-2.
-
GitaraniSharma-MSFT 47,086 Reputation points Microsoft Employee
2023-03-16T13:19:46.35+00:00 @Shehzad Amir , to be honest the UDR attached to the GatewaySubnet marked in red doesn't make sense. The UDRs marked in black are enough for traffic inspection via the Firewalls. The UDRs marked in red will not work as the VPN traffic will go from the gateway 1 to gateway 2 first, and the Firewall comes after that.
If it is direct Vnet to Vnet traffic, only then such UDR will work.
-
GitaraniSharma-MSFT 47,086 Reputation points Microsoft Employee
2023-03-20T13:22:18.3833333+00:00 @Shehzad Amir , could you please provide an update on this post? Kindly let us know if you need further assistance on this issue.
Sign in to comment