Hell All. We have a hub and spoke set up within Azure, within our hub resides our azure firewall and a express route gateway. The hub has 2 spoke vnets peered, each subnet within the peered vnet, has a UDR with a entry 0.0.0.0/0 pointing to the private ip address of our azure firewall. For some reason, we are not seeing any internet bound traffic hit our firewall. Upon further investigation, we found the following: azure firewall configured with forced tunnelling from on-prem there is a bgp route which has been advertised for 0.0.0.0/8, which i assume directs internet bound traffic to an on-prem firewall. So my question, which i need assistance with is, can we over-ride the advertised route of 0.0.0.0/8 somehow and force internet traffic to go via the azure firewall instead? Was thinking to create a route table and associate it to the AzureFirewallSubnet, which has a route of 0.0.0.0/1, which has a next hop as Internet. I am not sure, if this would do anything, but any suggestions would be helpful.

@jitesh k Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well. I understand that you would like to route all internet bound traffic via Azure Firewall. Observation: I see OnPrem is advertising a route 0.0.0.0/8 to Azure. Azure Firewall is configured in Forced Tunneling mode Analysis: 1.We must first understand how Azure routes traffic : When outbound traffic is sent from a subnet, Azure selects a route based on the destination IP address, using the longest prefix match algorithm (This is the deciding factor) If multiple routes contain the same address prefix, Azure selects the route type, based on the following priority: User-defined route BGP route System route Now, you have your OnPrem advertising 0.0.0.0/8 to Azure. So, adding a 0.0.0.0/1 Route to Route Tables will not be sufficient. (as 0.0.0.0/8 has a longest prefix match) Instead, you must have both, 0.0.0.0/8 (to override onPrem BGP Route) and 0.0.0.0/0 (for any unmatched routes) 2.Send Traffic from Azure Firewall to Internet Even if the Azure Firewall is created with support for Forced Tunneling, you do not have to add a Route Table here at all. The default behavior will provide outbound connectivity to Internet just like a regular firewall. Hope this helps. Cheers, Kapil

Internet Routing via Azure Firewall

jitesh k 0

Hell All.

We have a hub and spoke set up within Azure, within our hub resides our azure firewall and a express route gateway.

The hub has 2 spoke vnets peered, each subnet within the peered vnet, has a UDR with a entry 0.0.0.0/0 pointing to the private ip address of our azure firewall.

For some reason, we are not seeing any internet bound traffic hit our firewall.

Upon further investigation, we found the following:

azure firewall configured with forced tunnelling
from on-prem there is a bgp route which has been advertised for 0.0.0.0/8, which i assume directs internet bound traffic to an on-prem firewall.

So my question, which i need assistance with is, can we over-ride the advertised route of 0.0.0.0/8 somehow and force internet traffic to go via the azure firewall instead?

Was thinking to create a route table and associate it to the AzureFirewallSubnet, which has a route of 0.0.0.0/1, which has a next hop as Internet.

I am not sure, if this would do anything, but any suggestions would be helpful.

KapilAnanth-MSFT 35,001 Reputation points Microsoft Employee

2023-09-05T05:54:53.59+00:00

@jitesh k

Reaching out to check if there are any questions on this.

Please let us know if we can be of any further assistance here.

Thanks,

Kapil

Please Accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer.
KapilAnanth-MSFT 35,001 Reputation points Microsoft Employee

2023-09-06T09:02:13.46+00:00

@jitesh k

May I know if you got a chance to review my previous comment?

Please let me know if you are facing any challenges or if there are any follow-up questions, I shall be glad to address them.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
KapilAnanth-MSFT 35,001 Reputation points Microsoft Employee

2023-09-11T10:18:16.4833333+00:00

@jitesh k

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks,

Kapil

1 answer

KapilAnanth-MSFT 35,001 Reputation points Microsoft Employee

2023-09-01T07:48:44.4133333+00:00
@jitesh k

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to route all internet bound traffic via Azure Firewall.

Observation:

I see OnPrem is advertising a route 0.0.0.0/8 to Azure.

Azure Firewall is configured in Forced Tunneling mode

Analysis:

1.We must first understand how Azure routes traffic :

When outbound traffic is sent from a subnet, Azure selects a route based on the destination IP address, using the longest prefix match algorithm (This is the deciding factor)

If multiple routes contain the same address prefix, Azure selects the route type, based on the following priority:

User-defined route

BGP route

System route

Now, you have your OnPrem advertising 0.0.0.0/8 to Azure.

So, adding a 0.0.0.0/1 Route to Route Tables will not be sufficient. (as 0.0.0.0/8 has a longest prefix match)

Instead, you must have both, 0.0.0.0/8 (to override onPrem BGP Route) and 0.0.0.0/0 (for any unmatched routes)

2.Send Traffic from Azure Firewall to Internet

Even if the Azure Firewall is created with support for Forced Tunneling, you do not have to add a Route Table here at all.

The default behavior will provide outbound connectivity to Internet just like a regular firewall.

Hope this helps.

Cheers,

Kapil
Please sign in to rate this answer.
jitesh k 0 Reputation points

2023-09-01T07:54:11.2066667+00:00

Thank you Kapil, i will try adding those routes to the route table for the subnets within our spokes.

I will provide an update, once this has been done, thank you once again for your help.

Just to clarify, the next hop, i keep as my firewalls private ip address right?

KapilAnanth-MSFT 35,001 Reputation points Microsoft Employee

2023-09-01T07:58:02.5633333+00:00

@jitesh k

You are welcome.

Wrt, "the next hop, i keep as my firewalls private ip address right?"

Yes

This is correct.

This should be the configuration for subnets of the VMs

Cheers,

Kapil

jitesh k 0 Reputation points

2023-09-01T08:17:39.15+00:00

Kapil

Just wanted to clearly understand Azure Route Selection.

Outbound route selection is based on longest prefix, if you have udr for 10.0.0.0/16 but there is a bgp advertised route for 10.0.0.0/24, therefore azure would route traffic using 10.0.0.0/24 is that correct?

Also, is there a way to find out, which routes are advertised via BGP to Azure? that way we can see if multiple routes are being advertised with the same address prefix??

jitesh k 0 Reputation points

2023-09-01T08:34:39.5266667+00:00

Just to advise i have added 2 routes to the route table as mentioned, but still traffic is not going to the internet via azure firewall.

KapilAnanth-MSFT 35,001 Reputation points Microsoft Employee

2023-09-01T08:59:32.77+00:00

@jitesh k,

Outbound route selection is based on longest prefix, if you have udr for 10.0.0.0/16 but there is a bgp advertised route for 10.0.0.0/24, therefore azure would route traffic using 10.0.0.0/24 is that correct?

Yes

10.0.0.0/24 is the longest matched prefix

Routes are advertised via BGP to Azure:

From a VM perspective,

You can check NIC Effective routes of the VM

https://learn.microsoft.com/en-us/azure/virtual-network/diagnose-network-routing-problem#diagnose-using-azure-portal

This will give us all the system, user-defined and BGP routes.

From VPN gateway,

Learned Routes : https://learn.microsoft.com/en-us/azure/vpn-gateway/bgp-diagnostics#learned-routes

Advertised routes : https://learn.microsoft.com/en-us/azure/vpn-gateway/bgp-diagnostics#advertised-routes

All BGP peers to that VPN Gateway : https://learn.microsoft.com/en-us/azure/vpn-gateway/bgp-diagnostics#bgp-peers

Thanks,

Kapil

Please Accept an answer if correct.

Original posters help the community find answers faster by identifying the correct answer.

KapilAnanth-MSFT 35,001 Reputation points Microsoft Employee

2023-09-01T09:04:42.61+00:00

@jitesh k,

Can you share the NIC Effective routes of a VM in one of the Spoke subnets please?

You can use the link shared above.

Also, I think I found the problem.

Since Azure Firewall - also learns the route from the OnPrem VPN Device, I believe it is routing the traffic to OnPrem

In this case, what you can do is,

Attach a Route Table to the AzFw subnet

And instead of adding routes, disable "Propagate gateway routes" in the route table associated.

https://learn.microsoft.com/en-us/azure/virtual-network/manage-route-table#create-a-route-table

If you plan to associate the route table to a subnet in a virtual network that's connected to your on-premises network through a VPN gateway, and you don't want to propagate your on-premises routes to the network interfaces in the subnet, set Virtual network gateway route propagation to Disabled.

NOTE : This will work only if you don't want to inspect traffic from Azure to OnPrem and vice versa.

In case you want use Azure Firewall for inspecting traffic from Azure and OnPrem as well,

Then you should follow your initial set up.

Of adding a route and pointing the next hop to internet in the AzFW Route table.

Also, in this configuration, "Propagate gateway routes" should be enabled so AzFW can send OnPrem traffic to the VPN Gateway

Let me know if this works

Cheers,

Kapil

jitesh k 0 Reputation points

2023-09-01T10:36:07.8166667+00:00

Hi Kapil

Could you please clarify these 2 points:

if i create a route table on the AzureFirewallSubnet, what routes do i need to add to the route table??

Of adding a route and pointing the next hop to internet in the AzFW Route table. (not sure what to add)

My Spoke vNet has a UDR, which states 0.0.0.0/0 should go to the internet

We basically want all azure to on-prem traffic to go via azure firewall

Any traffic coming from on-prem via the azure express route gateway should also go via azure firewall to azure spokes.

KapilAnanth-MSFT 35,001 Reputation points Microsoft Employee

2023-09-01T11:20:36.1666667+00:00

@jitesh k,

Wrt, "We basically want all azure to on-prem traffic to go via azure firewall"

I am afraid this wasn't specified earlier.

Can you confirm is your current set up routes OnPrem <-----> Azure traffic via Azure Firewall.

This requires additional configuration and is quite complex

In your case, you want two cases,

OnPrem <-----> Azure routes should go via Azure Firewall

Internet traffic from Azure to go to Azure Firewall directly

These two are separate considerations and must be worked individually.

Case1: OnPrem <-----> Azure is divided into two:

a. Azure -----> OnPrem traffic should go via Azure Firewall:

You must override all the routes learned via BGP using UDRs if there are multiple routes advertised.

And add point them to the Azure Firewall IP
OR

You must disable "Propagate gateway routes" to the UDR associated to the subnets of the VM

And add "0.0.0.0/0" ----> Azure Firewall IP

This way, every traffic from Azure (i.e, both OnPrem and Azure) goes to Azure Firewall

b. OnPrem -----> Azure traffic should go via Azure Firewall:

GatewaySubnet do not support 0.0.0.0/0 UDRs but it supports UDRs with other address prefixes.

Hence, you can add a UDR to the ExpressRoute GatewaySubnet with the address prefix of your Vnet range with next hop type Virtual Appliance and IP address of your Azure firewall.

This will make sure that any traffic that comes from your on-premises for your Azure Vnet range, when reaches your ExpressRoute gateway will be forwarded to the firewall for scanning.

NOTE : Propagate gateway routes should be set to "Enabled" on the GatewaySubnet to ensure availability of the gateway and to propagate your on-premises routes to the network interfaces in the subnet.

So the routing from On-prem to Azure will go as below:
On-premises --> ExpressRoute gateway --> Azure firewall --> All subnets.

Case2 : Internet traffic from Azure to go to Azure Firewall directly

You must stop advertising default route (0.0.0.0/0) or a wide range such as 0.0.0.0/8 to Azure via BGP

Instead only advertise your OnPrem ranges to Azure.

This way Azure firewall sends

OnPrem range to the Gateway

Internet range to Internet

Hope this helps.

Cheers,

Kapil

jitesh k 0 Reputation points

2023-09-01T12:09:56.1266667+00:00

Hi Kapil

Sorry if there was some confusion Let me clarify our setup, we have a hub and spoke network toplogy, where spokes are connected to the hub using vnet peering. Hub Contains Azure FW & Azure Express Route Gateway On the Express Route Gateway Subnet we have a Route Table which contains a route, that points traffic sent from on-prem to subnets within azure, traffic should go via the azure fw, Express Route Gateway Subnet route table we have Gateway Propagation Enabled and following route added eg. Desintation 10.30.0.0/24 (azure spoke subnet) Next Hop Virtual Appliance IP 10.10.0.4 (azure firewall private ip address) Spoke 1 On the Spoke we have a vnet which contains several subnets, that have their own route table associated to them, which sends all traffic for on-prem subnets via our azure firewall. eg. destination 172.16.0.0/24 (on-prem ip range) next hop virtual appliance 10.10.0.4 (azure firewall private ip address) --destination 0.0.0.0/0 next hop virtual appliance 10.10.0.4 (azure firewall private ip address) When traffic is sent from the spoke subnet to the internet, instead of going via the azure firewall, its going on-prem, we discovered this was due to a route 0.0.0.0/8 being advertised from on-prem via BGP. What we want to do, is override this route of 0.0.0.0/8, so that any traffic from our spoke subnets goes out to the internet via our azure firewall public ip address. We cannot understand why the azure firewall is not using our udr to send traffic out and why it is using the BGP advertised route instead. As per your last comment, is the only way to stop this from happening, is to stop BGP advertising 0.0.0.0/8 ??? is there no other option Since i thought traffic sent from a subnet which has a udr, it would take precedence when routing traffic in azure. Hope this clarifies things.

KapilAnanth-MSFT 35,001 Reputation points Microsoft Employee

2023-09-01T12:36:25.44+00:00

Thanks for the detailed analysis and break down of your environment.

To answer your question, "Why Firewall is not using the UDR"

I think this is because Internet traffic from VM is not going to Azure Firewall to begin with.

Consider this, a subnet has 0.0.0.0-----> NVA route as UDR

However, 0.0.0.0/8 ----> OnPrem is learned via BGP routes

Your statement "i thought traffic sent from a subnet which has a udr, it would take precedence when routing traffic in azure." is partially correct

Precedence is given to longest prefix match (0.0.0.0/8)

In case of a tie , then UDR > BGP

So, BGP route takes precedence because of longest prefix match

From an Azure VM in spoke,

Can you share the NIC Effective Routes?

You will notice 0.0.0.0/8 ---> OnPrem

So, add a 0.0.0.0/8 ---> NVA in the subnet

This will make sure internet traffic goes to AzFW

And since you already have a UDR 0.0.0.0/8 ---> Internet in the AzFW Route table, this will override the BGP and send the traffic to Internet.

Let me know how this goes

Cheers,

Kapil
Sign in to comment