Azure Firewall

Question

Azure Firewall

Handian Sudianto 6,096

Hello,

I have several Azure VM and when accessing to the internet i can see each VMs connect to different public IP Addr, let say VM-1 connect to the internet using 20.24.49.44 and VM-2 use 20.198.170.98.

Also i have azure firewall with public IP let say 20.20.20.20 and my question is :

Why 2 VMs have different public IP when connecting to the internet, this mean azure have some public ip for azure vm and share the public ip to all azure customer?
Can we make all azure VMs using azure firewall IP address to connect to the internet? So all traffic to the internet will be natted to azure public IP Address?

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Accepted answer

0 additional answers

Your answer

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Answer 1

TP 124.7K Volunteer Moderator

Hi,

Why 2 VMs have different public IP when connecting to the internet, this mean azure have some public ip for azure vm and share the public ip to all azure customer?

A: If you do not explicitly set outbound connectivity then VMs will be assigned a default outbound public IP address. Please see article below for detailed explanation:

https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/default-outbound-access

Can we make all azure VMs using azure firewall IP address to connect to the internet? So all traffic to the internet will be natted to azure public IP Address?

A: Yes. Preferred way to do this is to create Azure Firewall with Forced Tunneling enabled and set default route on the subnet with the VMs to send all traffic to the firewall's private IP. Below article discusses Azure Firewall with forced tunneling in more detail:

https://learn.microsoft.com/en-us/azure/firewall/forced-tunneling

Please click Accept Answer if the above was helpful.

Thanks.

-TP

TP 124.7K Reputation points Volunteer Moderator

2023-09-08T05:13:11.5666667+00:00

@Handian Sudianto As I mentioned above, key part of having all outbound Internet traffic from the VMs going through Azure Firewall is to set default route for the VM subnet to send traffic to Firewall's private IP.

In screenshot below, I have a route table with default route set to the Azure Firewall's private IP address of 10.3.1.4 (in your case address would be different). This route would be associated with the VM subnet.

Virtual network traffic routing

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview
Handian Sudianto 6,096 Reputation points

2023-09-08T05:59:53.8366667+00:00

Hello,

I can see we have azure firewall and we have route table to firewall but in the subnet i can't see any subnet associated to this route. With this condition this mean the no traffic will be pass thru via firewall, am i right?

Also on reference article about 'Azure Firewall forced tunneling' say

you must create Azure Firewall with Forced Tunnel configuration enabled. This is a mandatory requirement to avoid service disruption. If this is a pre-existing firewall, you must recreate the firewall in Forced Tunnel mode to support this configuration.

How we can check if force tunneling is enabled or not? If force tunneling not enabled on existing firewall this mean we must create another firewall and enable force tunneling on the beginning?
TP 124.7K Reputation points Volunteer Moderator

2023-09-08T06:59:59.7266667+00:00

I can see we have azure firewall and we have route table to firewall but in the subnet i can't see any subnet associated to this route. With this condition this mean the no traffic will be pass thru via firewall, am i right?

A: Correct. Click Associate button and select the subnet where the VMs are located. After making the change, test to see if outbound traffic from the VMs are using the public IP address of the Azure Firewall. If the route is correct and the Firewall allows the traffic the VMs should use the Azure Firewall's public IP address for their outbound connections.

NOTE: At this point if it is working the way you want you could leave it this way. You don't HAVE to set up Azure Firewall to use Forced Tunneling. That's why I said "Preferred" in my original answer to you.

How we can check if force tunneling is enabled or not? If force tunneling not enabled on existing firewall this mean we must create another firewall and enable force tunneling on the beginning?

A: If the Firewall is associated with AzureFirewallManagementSubnet subnet then you know it was set up as forced tunneling. So it would have both AzureFirewallSubnet and AzureFirewallManagementSubnet subnets if you check it with Get-AzFirewall powershell command.

According to the article it says you need to recreate to enable forced tunneling. My thought is if you are okay with downtime you could deallocate, modify the configuration so that it has managementIPConfiguration set to AzureFirewallManagementSubnet subnet and then start the Firewall.

I've never tried switching a Azure Firewall that was originally created without forced tunneling to forced tunneling so I can't say for sure if it would work. If you want Azure Firewall to be in forced tunneling configuration it would probably be quicker/easier for you to recreate.
Handian Sudianto 6,096 Reputation points

2023-09-08T07:05:43.18+00:00

Hi..

Current UDR list only have route to the internet (0.0.0.0/0) , i think when i associate subnet to this UDR will make traffic to on-prem passing thru internet.

Should i make another route to on-prem and set next hop type to Virtual Network Gateway?
GitaraniSharma-MSFT 50,021 Reputation points Microsoft Employee Moderator

2023-09-08T13:49:29.5966667+00:00

Hello @Handian Sudianto ,

Can we make all azure VMs using azure firewall IP address to connect to the internet? So all traffic to the internet will be natted to azure public IP Address?

I would like to add some inputs on this question and the answer provided by TP for this question.

@TP mentioned that the preferred way to do this is to create Azure Firewall with Forced Tunneling enabled and set default route on the subnet with the VMs to send all traffic to the firewall's private IP. This is true when you want to force all traffic to your on-premises or another Firewall.

But I believe the ask was different.

As mentioned in the Azure Firewall forced tunneling doc,

When you configure a new Azure Firewall, you can route all Internet-bound traffic to a designated next hop instead of going directly to the Internet. For example, you may have a default route advertised via BGP or using User Defined Route (UDR) to force traffic to an on-premises edge firewall or other network virtual appliance (NVA) to process network traffic before it's passed to the Internet.

Some customers prefer not to expose a public IP address directly to the Internet. In this case, you can deploy Azure Firewall in Forced Tunneling mode without a public IP address. The tenant data path network can be configured without a public IP address, and Internet traffic can be forced tunneled to another Firewall or completely blocked.

So basically, forced tunneling on Azure Firewall is used when you would like to route all traffic to another hop instead of Internet.

Refer: https://learn.microsoft.com/en-us/azure/firewall/forced-tunneling

https://learn.microsoft.com/en-us/azure/firewall/snat-private-range

However, your requirement is to access Internet from VMs using Azure Firewall Public IP.

To simply NAT all Internet traffic from the VMs to Azure Firewall Public IP, you can make use of UDRs and Azure Firewall network rules.

Azure Firewall provides automatic SNAT for all outbound traffic to public IP addresses.

So, you can force all your subnet traffic to Azure Firewall using UDRs with 0.0.0.0/0 route with next hop Azure Firewall IP and then create a network rule within Azure Firewall allowing that traffic to go through. The source should be the subnet/VM from which you want to allow that particular traffic and destination will be all or "*".

Refer: https://learn.microsoft.com/en-us/azure/firewall/tutorial-firewall-deploy-portal-policy#create-a-default-route

https://learn.microsoft.com/en-us/answers/questions/520278/allow-all-outbound-traffic-through-azure-firewall

Kindly let us know if the above helps or you need further assistance on this issue.

Regards,

Gita
TP 124.7K Reputation points Volunteer Moderator

2023-09-09T04:59:49.03+00:00

@Handian Sudianto Please see my answer to your question below

Current UDR list only have route to the internet (0.0.0.0/0) , i think when i associate subnet to this UDR will make traffic to on-prem passing thru internet.

Should i make another route to on-prem and set next hop type to Virtual Network Gateway?

A: No, traffic for on-prem will not be sent to the Internet. No, you should not need to create another route to on-prem.

The reason is, you have a Virtual Network Gateway configured for Site-to-Site to on-prem 10.0.0.0/8, correct? Because of this, there should already be a route for 10.0.0.0/8 with next hop virtual network gateway. The route to virtual network gateway will still be there and effective after you associate your UDR route for 0.0.0.0/0 to Azure Firewall.

I made screenshot to illustrate. After applying your Default_Route_To_Firewall route table to the subnet, the effective routes on the VM's network interface should be similar to below:

You see that after associating the route table with the subnet, the effective route on the VM still has the virtual network gateway route for 10.0.0.0/8 and it is still Active. In the above example traffic to on-prem 10.0.0.0/8 addresses will still flow through the gateway while Internet traffic will flow to firewall's private IP of 172.16.0.68.

What I recommend you do is test using a different subnet first. For example, create a new subnet in same vnet called "TestSubnet", create a small test vm in this subnet, associate your route table with TestSubnet, Navigate to this test vm in portal -- Networking blade -- click on the network interface -- Help -- Effective routes. Verify that it still shows route to on-prem in addition to the new 0.0.0.0/0 route. Note that when you make a change to associated routes it may take a minute or more for it to take effect.

After verifying the effective routes appear correct, connect to the VM from one of your other VMs using RDP, and verify that you are still able to connect to on-prem resources from the VM.

Once you have success with your test VM you can associate your route table with the subnet for your other VMs and test those as well.

If any of the above is unclear, please add a comment below.

Thanks.
Handian Sudianto 6,096 Reputation points

2023-09-10T23:33:30.0233333+00:00

Hi..

Yes you right, traffic to on-prem not passing thru azure firewall.

Share via

Azure Firewall

0 additional answers

Your answer