Share via

How to force all S2S VPN traffic through Azure firewall

Sean Dodd 45 Reputation points
2024-05-16T15:27:08.08+00:00

Hi

We currently have a hub and spoke setup in Azure. The hub contains an Azure firewall, an ExpressRoute gateway and a VPN gateway. All traffic for the spokes is routed through the Azure firewall.

We have IPSec VPNs over our ExpressRoute which terminate on the VPN gateway.

We now need to create third party external VPNs on the existing VPN gateway, but all VPN traffic needs to be protected by the firewall. We're concerned that the third party VPN traffic can avoid the Azure firewall and go down the ExpressRoute VPNs to our on-prem datacentres unfiltered.

Is there a way to enforce this without creating new VPN gateways?

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,415 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
582 questions
0 comments
Accepted answer
  1. KapilAnanth-MSFT 37,646 Reputation points Microsoft Employee
    2024-05-20T05:32:14.7433333+00:00

    @Sean Dodd ,

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I understand that you would like to route traffic from one OnPrem site to another OnPrem site via VPN Gateway while also inspecting the traffic at Azure using Azure Firewall or a NVA.

    I am afraid this won't be feasible with a normal VPN Gateway, but instead doable with vWAN Routing Intent with "Private Traffic Routing Policy" enabled.

    However, with traditional VPN Gateway, I could not find any Azure documents supporting this.

    • I believe you will be using BGP set up to route OnPrem to OnPrem traffic
    • See : Support transit routing between your on-premises networks
      • User's image
    • More precisely, like the below,
      • User's image
    • This makes sense as there will be routing loop
    • Let's say you want to route traffic to Site2 from Site1 via VPN Gw and Azure Firewall (NVA)
    • You create a UDR on GatewaySubnet and point 10.2.0.0/16, 10.3.0.0/16 to route towards NVA
    • Now traffic reaches NVA, NVA processes the traffic and forwards it to the GatewaySubnet
    • However, from the UDR in GatewaySubnet, traffic will once again forward to the NVA
    • Thus, there will be a routing loop between GatewaySubnet and NVA and traffic would never reach the Site2

    P.S : The same logic applies for a VPN Gateway built over an ExpressRoute Connection

    Hope this adds some clarity.

    Kindly let us know if this helps or you need further assistance on this issue.

    Thanks,

    Kapil

    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest