Azure routing through a firewall to get to a DB backend Database over a VPN

Julian 0 Reputation points
2024-01-29T15:25:57.28+00:00

I have two Azure VNETs, One is a Management VNET containing a public facing Application Gateway with an Azure Premium Firewall behind that. The other is a DEV VNET with a subnet containing a private endpoint to an SQL database. I use a VPN Gateway to "dial into" the "Gateway Subnet" but I can't seem to setup the right stuff to allow VPN dial in users to get to route to the private SQL database IP via the firewall. I know I need some firewall routes and an NSG or two but I just cant get it to connect. Any Ideas. Thank you Info : MGT VNET 10.0.0.0/16
-- Firewall Subnet 10.0.0.0/24, GatewaySubNet 10.0.1.0/24, App Gateway Subnet 10.0.2.0/24)
-- Firewall Private IP 10.0.0.4 VPN IP Pool 172.16.201.0/24 DEV VNET 10.10.0.0/16 -- Database Subnet 10.10.30.0/24 SQL Database has a private endpoint to IP 10.10.30.4 Peer exists between both VNETS.

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,386 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
570 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. KapilAnanth-MSFT 35,086 Reputation points Microsoft Employee
    2024-01-30T04:58:38.8433333+00:00

    @Julian

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    To summarize your environment

    • MGT VNET 10.0.0.0/16 is the Hub VNET.
    • This has a VPN Gateway and the GatewaySubnet being 10.0.1.0/24
    • This also has FirewallSubnet 10.0.0.0/24.
    • This is peered with DEV VNET 10.10.0.0/16 (which becomes Spoke VNET)
    • The DEV VNET has a DatabaseSubnet 10.10.30.0/24 where you have a private endpoint 10.10.30.4

    Now, to route all traffic from OnPREM to Azure and from Azure to OnPrem via the Firewall,

    • First get the Firewall's private IP and let's call it NVA IP.
    • In the Peering between MGT VNET to DEV VNET, Enable "Use this virtual network's gateway or Route Server"
    • In the Peering between DEV VNET to MGT VNET, Enable "Use the remote virtual network's gateway or Route Server"
    • Now create two Route Tables, one to attach on GatewaySubnet and the other to attach on DatabaseSubnet (GatewayRouteTable and DatabaseRouteTable respectively)
    • In the GatewayRouteTable, add a route with address of DatabaseSubnet and next Hop as NVA with NVA IP (Firewall's private IP)
    • In the DatabaseRouteTable, add a route with address of OnPrem and next Hop as NVA with NVA IP (Firewall's private IP)
    • Make sure you create a AllowAll Network Rule in Azure Firewall so that the traffic is allowed to and fro.

    In case this does not work, please check the Azure Firewall logs to see if traffic reached the FW or not.

    Cheers,

    Kapil

    0 comments