Virtual WAN Internet traffic Routing via third party NVA

Amol Admin account 11 Reputation points

Our goal is to route all vnet-vnet, onprem-vnet traffic via Azure Firewall. Any outbound and inbound internet traffic in Azure should pass through palo alto. We are trying to setup the routing, but its not working.

PFa the entire architecture. We are successfully able to pass vnet-vnet traffic to azure firewall, and internet traffic is being sent to NVA, but we are not seeing traffic coming back.Internet routing via NVA1

Azure Virtual WAN
Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
190 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,202 questions
{count} votes

2 answers

Sort by: Most helpful
  1. ChaitanyaNaykodi-MSFT 23,731 Reputation points Microsoft Employee

    @Amol Admin account

    Thank you for getting back.

    I am summarizing the discussion above before providing the answer to your follow-up question.

    In order to resolve the routing internet traffic via NVA, you peered the VNETS with VNET containing the NVA and traffic flow was established as shown here.

    Regarding your follow-up question above

    All routes learned from Site to Site VPN are directly injected into Connections. So next hop for remote site subnets, is being sent to hub IP and not to azure firewall. If we route it to Azure firewall by adding a custom route for remote sites subnet to Azure FW, traffic is broken.

    The reason for this might be as documented here in this scenario. As the VNet and branch connections are associated and propagating to the default route table. Although the hubs are secured (there is an Azure Firewall deployed in the hub), they aren't configured to secure private or Internet traffic. Doing so would result in all connections propagating to the None route table, which would remove all non-static routes from the Default route table and defeat the purpose of this article since the effective route blade in the portal would be almost empty (except for the static routes to send traffic to the Azure Firewall).

    how to make sure that routes learned from VPN in virtual hub are not directly passed to Vnets? Or how to transfer them to azure firewall?

    I think the solution here would be to implement a scenario described here where you can use a route table to use Azure Firewall for VNet-to-Internet/Branch and Branch-to-VNet traffic flows. Where the route table associated with the Virtual Networks is configured in this way.

    User's image

    Then create a route to activate VNet-to-Internet and VNet-to-Branch: with the next hop pointing to Azure Firewall. I think this will rt-01 route table in your case above.

    Hope this helps! Please let me know if you have any additional questions. Thank you!

    ​​Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

  2. Amol Admin account 11 Reputation points

    Configuring the Routing Intent was Selecting Fully Automatic Air Conditioner in CAR. You cannot customize anything. This was not fulfilling our design expectations, so we finally went with solution where we didnt install Azure FW in Virtual Hubs. Placed the AZ FW in dedicated Vnet outside VHub. Made it as hub for other vnets. This way we were able to achive the goal of sending traffic via Internal and Perimeter firewall both.