how to fix this Firewall routing configuration through ExpressRo

Ramamoorthy, Gajapriya 0 Reputation points

We have configured express route to on-prem and it is working fine without firewall. We have checked an IP address provided by the Provider and were able to establish connection between cloud to on-prem . Once Azure firewall has been implemented, having trouble connecting cloud to On-Prem.

While tracing the route we found that the network connection is not going forward from firewall and so would like to request support on route tables configuration.

This is the set-up we are requesting routing from Azure to on-prem which will go as below:

workload (spoke) --> Azure firewall (hub) --> ExpressRoute gateway --> On-premises.

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
580 questions
Azure ExpressRoute
Azure ExpressRoute
An Azure service that provides private connections between Azure datacenters and infrastructure, either on premises or in a colocation environment.
328 questions
{count} votes

1 answer

Sort by: Most helpful
  1. GitaraniSharma-MSFT 48,011 Reputation points Microsoft Employee

    Hello @Ramamoorthy, Gajapriya ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like to implement ExpressRoute connectivity between Azure and your on-premises in a way that all your spoke traffic should go via an Azure Firewall deployed in the Hub Vnet.

    For Azure to On-premises traffic:

    Advertise a default route of via BGP from your on-premises to Azure, so that all your Azure traffic is sent to your on-premises via the ExpressRoute.

    To filter all the traffic going out of Azure by the firewall, you can add a UDR with on all the subnets (except the Firewall subnet) with next hop as your Azure Firewall.

    This setup will take care of the routing from Azure to on-prem which will go as below:

    All subnets --> Azure firewall --> ExpressRoute gateway --> On-premises.

    When outbound traffic is sent from a subnet, Azure selects a route based on the destination IP address, using the longest prefix match algorithm. If multiple routes contain the same address prefix, Azure selects the route type, based on the following priority:

    User-defined route > BGP route > System route

    User-defined routes are higher priority than BGP & default routes.


    NOTE: Azure Firewall must have direct Internet connectivity. If your AzureFirewallSubnet learns a default route to your on-premises network via BGP, you must override this with a UDR with the NextHopType value set as Internet to maintain direct Internet connectivity or stop advertising the default route from on-prem. Post this you can filter the outbound traffic within the Azure Firewall according to your needs by configuring network rules.

    Spoke Vnet and Hub Vnet should be peered with the gateway transit option and User Defined route (UDR) should be configured on all subnets of the Spoke Vnet that points to the firewall with the Virtual network gateway route propagation setting disabled. This setting prevents learned routes from conflicting with your UDR.


    For return On-premises to Azure traffic:

    GatewaySubnet do not support UDRs but it supports UDRs with other address prefixes.


    Hence, you can add a UDR to the ExpressRoute GatewaySubnet with the address prefix of your Vnet range with next hop type Virtual Appliance and IP address of your Azure firewall. This will make sure that any traffic that comes from your on-premises for your Azure Vnet range, when reaches your ExpressRoute gateway will be forwarded to the firewall for scanning.

    NOTE: Propagate gateway routes should be set to "Enabled" on the GatewaySubnet to ensure availability of the gateway and to propagate your on-premises routes to the network interfaces in the subnet.

    For example: If your Vnet address range is then you can add a UDR to your ExpressRoute GatewaySubnet as below:

    Address prefix: --> Next hop = Virtual Appliance --> Next hop = IP address of Azure Firewall

    So, the routing from On-prem to Azure will go as below:

    On-premises --> ExpressRoute gateway --> Azure firewall --> All subnets.

    For an end-to-end tutorial, please refer the below doc:

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments