Hello @Charlie B ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you have a S2S VPN connection between Azure and a remote site. You've deployed Azure Firewall in your Vnet for traffic filtering and have attached a UDR to the GatewaySubnet which forces the traffic to the firewall, but it is not working.
To force traffic in a Vnet via Azure Firewall and route it to on-prem via VPN and vice-versa, you would need 2 UDRs as below:
- To route all subnet traffic through the Azure firewall, you can use a User Defined route (UDR) on the subnets that points to the firewall with the Virtual network gateway route propagation option disabled (this prevents learned routes from conflicting with your UDR). If you want to keep Virtual network gateway route propagation enabled, make sure to define specific routes to the firewall to override those that are published from on-premises over BGP.
- Configure a UDR on the VPN gateway subnet that points to the firewall IP address as the next hop to the Vnet. No UDR is required on the Azure Firewall subnet, as it learns routes from BGP.
And make sure that this traffic is allowed in the Azure Firewall by configuring specific network rules.
NOTE: Azure Firewall must have direct Internet connectivity. If your AzureFirewallSubnet learns a default route to your on-premises network via BGP, you must override this with a 0.0.0.0/0 UDR with the NextHopType value set as Internet to maintain direct Internet connectivity.
Refer: https://learn.microsoft.com/en-us/azure/firewall/tutorial-hybrid-portal-policy
Could you please share your configuration details?
You mentioned "the UDR (attached to the Gateway Subnet) forces the traffic to the firewall".
What about your Azure subnets? Do all the subnets have UDRs for destination on-premises network as next hop Azure Firewall? Are both side UDRs in place?
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.