![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 26%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJT%3C/text%3E%3C/svg%3E)
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,803 questions
Hello @James Tillson ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you would like to know if it is possible to deploy an Azure Firewall in one VNET managing connections from multiple peered VNETs and use a Virtual Network Gateway in a completely separate VNET for connections to on prem networks.
Yes, it is possible to have an Azure Firewall in one VNET managing connections from multiple peered VNETs and use a Virtual Network Gateway in a completely separate VNET for connections to on prem networks.
For Azure to On-prem traffic:
You can deploy Azure Firewall on any virtual network, but customers typically deploy it on a central virtual network and peer other virtual networks to it in a hub-and-spoke model. You can then set the default route (0.0.0.0/0) from the peered virtual networks to point to this central Azure Firewall.
You can then create a UDR with the destination subnet address prefixes of your on-premises networks and point it to next hop Virtual network gateway (The virtual network gateway must be created with type VPN). Refer: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview#custom-routes
And create necessary network rules within the Azure Firewall.
Refer: https://learn.microsoft.com/en-us/azure/firewall/tutorial-hybrid-portal-policy
So, the routing from Azure to On-prem will go as below: All subnets --UDR--> Azure firewall --UDR--> VPN gateway --S2S--> On-premises
Another important point to note here is: Azure Firewall must have direct Internet connectivity. If your AzureFirewallSubnet learns a default route to your on-premises network via BGP, you must override this with a 0.0.0.0/0 UDR with the NextHopType value set as Internet to maintain direct Internet connectivity or stop advertising the default route from on-prem. Post this you can filter the outbound traffic within the Azure Firewall according to your needs by configuring network rules. Refer: https://learn.microsoft.com/en-us/azure/firewall/firewall-faq#is-forced-tunneling-chaining-to-a-network-virtual-appliance-supported
For return On-premise to Azure traffic:
GatewaySubnet do not support 0.0.0.0/0 UDRs but it supports UDRs with other address prefixes.
Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub
Hence, you can add a UDR to the VPN GatewaySubnet with the address prefix of your Vnet range with next hop type Virtual Appliance and IP address of your Azure firewall. This will make sure that any traffic that comes from your on-premises for your Azure Vnet range, when reaches your VPN gateway will be forwarded to the firewall for scanning.
NOTE : Propagate gateway routes should be set to "Enabled" on the GatewaySubnet to ensure availability of the gateway and to propagate your on-premises routes to the network interfaces in the subnet.
For example: If your Vnet address range is 10.0.0.0/16 then you can add a UDR to your VPN GatewaySubnet as below: Address prefix: 10.0.0.0/16 --> Next hop = Virtual Appliance --> Next hop = IP address of Azure Firewall So, the routing from On-prem to Azure will go as below: On-premises --S2S--> VPN gateway --UDR--> Azure firewall --> All subnets.
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.