Azure Firewall - Hub & Spoke Deployment - Forced Tunnelling

Son 316 Reputation points
2023-09-26T07:49:45.5766667+00:00

Hi,

We currently have a hub & spoke deployment in Azure that is connected to our on-premises network using an Express Route connection.

The hub consists purely of an Azure Firewall on a VNET with the ER gateway etc. so is only for network connectivity, this is also where we land the ER circuits. The spokes are designated as one per business unit and setup with VNET peering and routing so that all traffic between hub and spoke must traverse the Azure Firewall we have deployed.

By design, we implemented forced tunnelling by advertising a default route into this environment using BGP from the on-premises using the ER connections. So all internet bound traffic from the spokes must come back to the on-premises and out the door.

My question is, how can I test sending all traffic from a particular subnet directly out of the Azure environment from a spoke but still using the Azure Firewall for traffic control before sending? Each spoke has a route table assigned to it with all subnets loaded with a next hop of the NVA and its internal IP address which sends the traffic to the hub. The hub cannot load a subnet from a spoke in a route table, it simply has things like the gwsubnet, fwsubnet and fwmgmt subnet. I am aware I can configure UDRs to direct IP addresses on the net by loading those routes in the AzureFirewallSubnet route table, but how can I direct traffic from a spoke subnet, to the hub and then out the Azure Firewall to the internet and override the default route advertised from BGP into the hub.

Hope that makes sense!

Thanks

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
651 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,383 questions
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 49,461 Reputation points Microsoft Employee
    2023-09-27T07:29:17.28+00:00

    Hello @Son ,

    I understand that you have a hub & spoke deployment in Azure that is connected to your on-premises network using an Express Route connection and the hub has an Azure Firewall. The spokes are setup with VNET peering and routing so that all traffic between hub and spoke must traverse the Azure Firewall. And you've implemented forced tunnelling by advertising a default route into this environment using BGP from the on-premises using the ER connections, so that all internet bound traffic from the spokes must come back to the on-premises and out the door. Now, you would like to know how to send all traffic from a particular subnet directly out of the Azure environment from a spoke but still using the Azure Firewall for traffic control before sending to Internet.

    I'm afraid your requirement is not possible with the existing setup.

    Azure Firewall is a cloud-native and intelligent network firewall security service which provides traffic inspection. It also routes traffic between VNets. It's a managed resource that automatically creates system routes to the local spokes, hub, and the on-premises prefixes learned by its local Virtual Network Gateway, but you cannot create custom routes within the Azure Firewall for traffic routing. The only way to override the system routes is by using User Defined Routes (UDRs).

    So, the only available options for you are as below:

    1. Send all traffic from a particular subnet directly to Internet bypassing the Firewall using a UDR.

    For this, you need to associate a route table to this particular subnet with destination 0.0.0.0/0 and next hop as Internet.

    Refer: https://learn.microsoft.com/en-us/azure/expressroute/expressroute-faqs#do-virtual-networks-connected-to-expressroute-circuits-have-internet-connectivity

    1. Send all traffic from all subnets to Internet via Azure Firewall by using a UDR on the Firewall subnet.

    For this, you need to associate a route table to the Azure Firewall subnet with destination 0.0.0.0/0 and next hop as Internet.

    Refer: https://learn.microsoft.com/en-us/azure/firewall/firewall-faq#is-forced-tunneling-chaining-to-a-network-virtual-appliance-supported

    1. Deploy another Azure Firewall in the spoke Vnet and add a UDR to the required subnets to route all traffic to that Azure Firewall and add another UDR to that Azure Firewall subnet to route all traffic to Internet directly.

    For this setup,

    • You need to deploy another Azure Firewall (say Azure Firewall 2) in the spoke Vnet.
    • Then associate a route table to the particular subnet with destination 0.0.0.0/0 and next hop as Azure Firewall 2.
    • Associate another route table to the Azure Firewall 2 subnet with destination 0.0.0.0/0 and next hop as Internet.

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.