How to route specific traffic through Azure Firewall via Site 2 Site BGP enabled VPN

ShengChen-2218 0 Reputation points

I have two virtual networks on Azure: Vnet1 ( and Vnet2 ( These Vnets are connected by an Azure VPN gateway using Site-to-Site BGP enabled VPN. Currently, VM1 can ping VM2, and VM1 can also ping the firewall in Vnet2.

I have created a default route UDR( -> and attached it to Vnet2-VmSubnet. This allows VM2 to access the internet via the firewall.

If I want to route specific IP traffic from VM1 to the internet via the firewall in Vnet2, How should I create a more specific UDR?

For example, I only want to route (a specific internet access) via the firewall, while other traffic still uses the VM's default outbound access.

I have tired to create a UDR( -> and attached it to Vnet1-VMSubnet, but it seems it does not work.

-- Network detail --








I would be glad to help if you have any questions or need any assistance with something specific.

Thank you!

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,243 questions
Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,401 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
580 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,193 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Silvia Wibowo 3,166 Reputation points Microsoft Employee

    Hi @ShengChen-2218 , I understand that you want to use a Firewall in another vnet where the two vnets are connected using site-to-site VPN.

    See the note of UDR (user-defined route) : A next hop private IP address must have direct connectivity without having to route through Vnet Gateway or Virtual WAN. Setting the next hop to an IP address without direct connectivity results in an invalid user-defined routing configuration.

    I'd recommend you replace site-to-site VPN connection between the two vnets with vnet peering. Vnet peering connects 2 vnets directly and there will be system routes created automatically. Then you can create UDR ( -> and attach it to Vnet1-VMSubnet.

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

  2. v-vvellanki-MSFT 4,130 Reputation points Microsoft Vendor

    Hi @ShengChen-2218,

    Thanks for contacting Microsoft Q&A platform.

    To route specific IP traffic from VM1 to the internet via the firewall in Vnet2, you'll need to create a more specific User-Defined Route (UDR) in Vnet1-VMSubnet. Here's how you can do it:

    1. Create a UDR: In the Azure portal, navigate to the route table associated with Vnet1-VMSubnet and create a new route with the following details:
      • Destination: (or any other specific IP or IP range you want to route)
      • Next hop type: Virtual appliance
      • Next hop address: The private IP address of the firewall in Vnet2 (
    2. Associate the UDR: Associate the newly created UDR with the subnet Vnet1-VMSubnet.
    3. Associate the UDR: Associate the newly created UDR with the subnet Vnet1-VMSubnet.

    With this configuration, any traffic from VM1 with a destination IP of will be routed to the firewall in Vnet2 via the VPN connection between Vnet1 and Vnet2. The firewall will then handle the internet-bound traffic for that specific IP address.

    Hope this helps you.