Change Azure Firewall from Force Tunneling to use the Azure FW for Internet traffic

Ghulam Abbas 151 Reputation points
2024-03-14T10:29:28.19+00:00

Hi, we have recently migrated most of our workload from on-prem to Azure and we have currently S2S VPN connections between 2 of our on-prem sites and Azure. For phase 1, we used FW in force Tunneling mode to force all Internet traffic to our on-prem FW to go out to the Internet. We currently have route tables to route this traffic to the next hop as the Azure FW >virtual network gateway>on-prem FW.

Now as a part of phase 2, we need to use the Azure native Firewall for all our outbound Internet traffic. I would like to know some options on how can we change our existing force tunneling to directly Azure FW outbound Internet traffic for all our workload in Azure? We have checked the MS documentation (https://learn.microsoft.com/en-us/azure/firewall/forced-tunneling) and in summary it says:

"Once you configure Azure Firewall to support forced tunneling, you can't undo the configuration. If you remove all other IP configurations on your firewall, the management IP configuration is removed as well, and the firewall is deallocated. The public IP address assigned to the management IP configuration can't be removed, but you can assign a different public IP address"

We will appreciate some thoughts / suggestion on how to achieve this without breaking anything in our Azure environment? Many thanks

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,381 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
567 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,145 questions
Azure Firewall Manager
Azure Firewall Manager
An Azure service that provides central network security policy and route management for globally distributed, software-defined perimeters.
84 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. GitaraniSharma-MSFT 47,421 Reputation points Microsoft Employee
    2024-03-14T12:22:35.4933333+00:00

    Hello @Ghulam Abbas ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like to change your existing setup with Azure Firewall from Force Tunneling to use the Azure Firewall for Internet traffic.

    As mentioned, and confirmed by you in the Azure Firewall documentation, the following limitation applies to the Azure firewall forced tunneling mode:

    Once you configure Azure Firewall to support forced tunneling, you can't undo the configuration. If you remove all other IP configurations on your firewall, the management IP configuration is removed as well, and the firewall is deallocated. The public IP address assigned to the management IP configuration can't be removed, but you can assign a different public IP address.

    Also, you cannot deploy more than one Azure Firewall to the same Vnet.

    User's image

    So, the only option in this case would be to delete the existing Azure Firewall with forced tunneling mode and recreate a new Azure Firewall without the forced tunneling mode.

    I would suggest you do this change during a dedicated downtime window for minimal impact to your existing setup.

    • You can remove the existing UDR from all your subnets to make sure that the traffic is routed directly to Internet.
    • Then delete the Azure Firewall with forced tunneling mode.
    • Recreate Azure Firewall without the forced tunneling mode.
    • Add UDRs to all subnets with 0.0.0.0/0 route with next hop Azure Firewall.
    • Add the required network rules in the Azure Firewall.

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments