Hello @Son ,
I understand that you have a hub & spoke deployment in Azure that is connected to your on-premises network using an Express Route connection and the hub has an Azure Firewall. The spokes are setup with VNET peering and routing so that all traffic between hub and spoke must traverse the Azure Firewall. And you've implemented forced tunnelling by advertising a default route into this environment using BGP from the on-premises using the ER connections, so that all internet bound traffic from the spokes must come back to the on-premises and out the door. Now, you would like to know how to send all traffic from a particular subnet directly out of the Azure environment from a spoke but still using the Azure Firewall for traffic control before sending to Internet.
I'm afraid your requirement is not possible with the existing setup.
Azure Firewall is a cloud-native and intelligent network firewall security service which provides traffic inspection. It also routes traffic between VNets. It's a managed resource that automatically creates system routes to the local spokes, hub, and the on-premises prefixes learned by its local Virtual Network Gateway, but you cannot create custom routes within the Azure Firewall for traffic routing. The only way to override the system routes is by using User Defined Routes (UDRs).
So, the only available options for you are as below:
- Send all traffic from a particular subnet directly to Internet bypassing the Firewall using a UDR.
For this, you need to associate a route table to this particular subnet with destination 0.0.0.0/0 and next hop as Internet.
- Send all traffic from all subnets to Internet via Azure Firewall by using a UDR on the Firewall subnet.
For this, you need to associate a route table to the Azure Firewall subnet with destination 0.0.0.0/0 and next hop as Internet.
- Deploy another Azure Firewall in the spoke Vnet and add a UDR to the required subnets to route all traffic to that Azure Firewall and add another UDR to that Azure Firewall subnet to route all traffic to Internet directly.
For this setup,
- You need to deploy another Azure Firewall (say Azure Firewall 2) in the spoke Vnet.
- Then associate a route table to the particular subnet with destination 0.0.0.0/0 and next hop as Azure Firewall 2.
- Associate another route table to the Azure Firewall 2 subnet with destination 0.0.0.0/0 and next hop as Internet.
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.