Issue with VirtualNetwork service tag when using UDR for routing via Azure Firewall

Sibba Sailor 80 Reputation points

Hi Experts,

User's image

When I add a UDR on my Spoke Subnets to use Azure Firewall for default outbound ( -> Azure Firewall IP), the Virtual Network service tag on the NSG attached to the Spoke Subnets gets value. When I remove the UDR default outbound route, the Virtual Network service tag gets the vNet and Peered vNet address space etc.

Due to this, limiting network access at the NSG level on the Spoke Subnets is getting complex. For example, let's consider that I do not want to direct traffic to Azure Firewall for my S2S/P2S VPN traffic, and want to control which S2S IP Addresses can access my Spoke Subnet using NSG rule attached to my Spoke Subnet. This is getting complex as the Default DenyAllInbound is no longer applicable due to AllowVnetInbound allowing everything.

User's image

In such scenarios, the network control at the NSG level gets auto-updates and gets allowed for all ( - - All Protocols), and the concept of having default DenyAllInbound as the last rule fails. This could be a security risk where the engineer has added a UDR for to Subnets and all the NSGs would turn to Allow All (Everything).

Related GitHub Discussion:

FYI, I just found out a blog also reporting a similar challenge that I am facing:

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
589 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,230 questions
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
988 questions
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 48,286 Reputation points Microsoft Employee

    Hello @Sibba Sailor ,

    I understand that you are facing issues with VirtualNetwork service tag in NSG, when using UDR for routing via Azure Firewall. When you add a UDR on your Spoke Subnets to use Azure Firewall for default outbound ( -> Azure Firewall IP), the VirtualNetwork service tag on the NSG attached to the Spoke Subnets gets prefix value.

    I discussed this behavior with the Azure Virtual Network Product Group team, and they confirmed that this is expected behavior.

    Virtual Network tag includes VNet address prefixes, peered prefixes and on-prem prefixes propagated via VPN or Express route gateway.

    enter image description here


    To avoid this, either stop propagating and use more specific prefix OR use prefixes in NSG instead of that tag.

    We have a plan to introduce customer service tags aka IP groups, but this is still in design so no timelines to share yet.

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

0 additional answers

Sort by: Most helpful