Azure VWAN Inter-region traffic filtering when using Secured Virtual HUBs

Veerraju Gopalli 20

Hi Microsoft team,

we have configured Azure VWAN with Secure virtual hubs( With Azure firewall), but as per the Microsoft documentation, we see inter-region traffic filtering is not possible on the firewall.

We have tested the below in our lab:

We have two on prem datacenters ( Seatle and washington DC), these data centers are connected to Azure regions in West US2 and East US2 using express route circuits.

We have also configured express route cross connect. Now using the express route cross connect we see that we can send the inter-region traffic over express route path and achieve inter-region traffic filtering.

When we are sending inter-region traffic over the express route path we see only 10ms of latency added( with two firewalls, ERGW and one MSEE device in the path) compared to inter-region link(only two hops in the path: hub virtual routers).

I couldn't find documentation on the Microsoft side which shows the use of express-route cross connect to overcome the inter-region traffic limitation. I would like to check whether it is recommended to use the express-route cross connect for inter-region traffic when latency is not making big difference.

Please advise.

KapilAnanth-MSFT 35,246 Reputation points Microsoft Employee

2023-03-23T04:42:57.2833333+00:00
@Veerraju Gopalli

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to know the best practices for inter-region traffic filtering in Secured Hub.

By using ExpressRoute Cross Connection,

I take it that you are sending all Region2 traffic via Region1 and similarly, Region1 traffic via Region2

or, are you only sending Region2 traffic directly to Region2 leveraging the ExpressRoute circuit in Region 1?

and the set up is something like below. (instead of Peering, we have Hub to Hub)

Please let me which is correct.

Also, if you can provide a traffic hop diagram/path, I would appreciate it

Cheers,

Kapil
KapilAnanth-MSFT 35,246 Reputation points Microsoft Employee

2023-03-24T05:51:31.9433333+00:00

@Veerraju Gopalli

May I know if you got a chance to review my previous comment?

Please let me know if you are facing any challenges or if there are any follow-up questions, I shall be glad to address them.

Thanks,

Kapil
Veerraju Gopalli 20 Reputation points

2023-03-24T14:54:17.11+00:00
Hi Kapil,

Yes we have done the express route cross connect as shown in the diagram, but with Azure virtual WAN where connectivity between US west and US east is managed by Microsoft. It is not VNET peering.

We have configured azure firewall in the Virtual WAN hubs in US west and US east region.

US west region is connected to Seattle datacenter using Express route circuit, and US east region is connected to Washington DC datacenter using express route circuit, and provider is Equinix, and these are separate Express route circuits.

Now we have done the express route corss connect, where I have connected the US west region to express route configured in US east region and vice versa. Challenge: In VWAN when there is firewall configured in virtual hubs, inter-region traffic, i.e traffic from spokes connected to US west hub to traffic to spokes connected to US east hub will not work when trying to send it to through firewalls. This is Microsoft limitation. Bypassing the firewalls we were able to achieve this communication.
Fix:

Now when we have connected the express route cross connects we see that we can send traffic from West to East using express route gateway via the cross connect and achieve firewall filtering as well. same for east to west.

I couldn't find good documentation from Microsoft which states that Azure VWAN inter-region traffic filtering limitation when using azure firewall in the hub's can be mitigated/remediated using express route cross connect.

So I would like to know whether we can implement this solution as fix or not and would like to know Microsoft recommendation on it.
KapilAnanth-MSFT 35,246 Reputation points Microsoft Employee

2023-03-29T13:09:57.4+00:00

@Veerraju Gopalli

Reaching out to check if there are any questions on this.

Please let us know if we can be of any further assistance here.

Thanks,

Kapil

Please Accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer.
KapilAnanth-MSFT 35,246 Reputation points Microsoft Employee

2023-04-03T14:51:47.7733333+00:00

@Veerraju Gopalli

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks,

Kapil

1 answer

KapilAnanth-MSFT 35,246 Reputation points Microsoft Employee

2023-03-28T09:27:59.51+00:00

@Veerraju Gopalli

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to know about the use of Express-Route Cross Connect to overcome the Inter-region Firewall Filtering traffic limitation

I discussed this with the Azure Virtual WAN Product Group team and below is their update:

Yes, but this only applies for VNET to VNET traffic and is not an architecture we recommend to customers.

For more details, you can reach out to previewinterhub@microsoft.com

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment