Routing To On-Prem from Azure Spoke VNET

jitesh k 0 Reputation points
2024-03-26T14:19:18.9033333+00:00

Hello

Need some help in understanding how routing is actually working.

Proposed hub and spoke set up.

The Hub will contain our Azure Firewall and a Express route vpn gateway which connects to our onprem datacentre.

We plan to connect 3 spoke VNETS to the Hub using Peering.

On the Hub to Spoke Peering, we will select these 3 options

-Allow to access the peered virtual network

-Allow to receive forwarded traffic from the peered virtual network

-Allow gateway or route server in to forward traffic to the peered virtual network

Spoke Peering we have these 3 Options

-Allow the peered virtual network to access

-Allow the peered virtual network to receive forwarded traffic from

-Enable the peered virtual network to use remote gateway or route server

For each Spoke we a UDR 0.0.0.0/0 with the next hop being the Private IP Address of our Azure Firewall and Propagate network routes set to No on the route table for each VNET.

On the GatewaySubnet a Route Table which has entries for each of the spoke vnets with the next hop being the Private IP Address of our Azure Firewall. Propagate Network Routes is set to Yes (should it be set to Yes)?

When a VM in the Spoke (10.120.3.42) needs to talk to a server in the on-prem datacenter (172.16.1.80), it first goes to the firewall as per the UDR we have in place, but how does the firewall know it needs to then send the traffic to the express route vpn gateway so that is can reach the on-prem server.

We have been looking for information, relating this traffic flow, but nothing mentioned is easy to grasp.

Any clarification, would be greatly appreciated.

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
570 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,149 questions
Azure ExpressRoute
Azure ExpressRoute
An Azure service that provides private connections between Azure datacenters and infrastructure, either on premises or in a colocation environment.
323 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. ChaitanyaNaykodi-MSFT 23,031 Reputation points Microsoft Employee
    2024-03-27T03:51:02.14+00:00

    @jitesh k

    Thank you for reaching out.

    I understand you wish to know more about how the traffic from your spoke Vnets in Azure is directed to on-prem via an Azure Firewall deployed in the Hub using express route connectivity to the on-prem.

    Based on your question above

    On the GatewaySubnet a Route Table which has entries for each of the spoke vnets with the next hop being the Private IP Address of our Azure Firewall. Propagate Network Routes is set to Yes (should it be set to Yes)?

    Yes, Route propagation shouldn't be disabled on the GatewaySubnet. The gateway will not function with this setting disabled.

    but how does the firewall know it needs to then send the traffic to the express route vpn gateway so that is can reach the on-prem server.

    The on-prem routes are exchanged via BGP in Azure Express Route and then propagated via the route table associated with the GatewaySubnet.

    The traffic paths are well explained here by Gita in this thread. You can also take a look at this implementation here to see how routing works in Azure.

    Hope this helps! Please let me know if you have any additional questions. Thank you!

    0 comments