vHub private route intent blocking traffic to and from UDR.

prasantc 876 Reputation points

This is not a duplicate of previous question as it only relates to private intent.

User's image

UDR - 172.16

core - 172.20

onprem -192.198

I am trying connectivity by simulating a production migration scenario.  I am simulating existing third party appliance with azure basic firewall and eventually migrating to Azure vHub firewall.

It will be a phase wise migration to move traffic for each subscription vnet from basic firewall to vWAN. However for lab I only have same subscription and single vnet to base frewall unlike many subscription and vnet in reality. But here is the lab test scenario and private intent blocking traffic between on prem to UDR.

1)      UDR vnet represents Azure subscription traffic using third party firewall

2)      Third party firewall is hosted in Core vnet which is peered with default propagation enabled

3)      Vhub default route has route propagation enabled with static route defined for UDR vnet next hop as UDR basic AZ firewall.

4)      On the security configuration of the vhub routing intent for public and private is not enabled.

5)      On Prem connection is simulated with another subscription connecting via BGP vpn gateway from vWAN to the onprem subscription with vpn gateway and LNG active/active.

6)      With all the above setup there is a network traffic between udr to core, core to udr, udr to onprem, on prem to udr, core to onprem both ways expected. NAT rules for RDP is working.

7)      NOW I ENABLE PRIVATE routing intent

8)      As soon as I enable private routing intent. It breaks on prem to UDR connection to onprem from both direction. Only core can talk to both.

9)      Default route propagation and automatically disabled by private routing intent. It has added static route in the default route with all RFC1918 pointing to hub fw.

10)  It has added none route with propagation which does nothing with propagation as UDR and on prem is not talking.

11)  I tried flipping propagation on the hub default route to yes and it immediately changes private traffic on hub security configuration to insecure  and resumes the UDR to on prem but not secured anymore by AZ firewall.

12)  I tried deleting static vnet route on hub default route and still does not resolve.

13)  If private link expects to deliver all traffic only through Azure firewall then How is it possible to plan and migrate with phased approach in a business environment where we could test all rules first with test subscription before moving prod or pci etc? Or is there a workaround to this problem.

14)  Verified effective route on the VM of on prem and UDR. It looks like it is not aware of it which is due to propagation.

I also have one question about internet intent which is different topic for later.

Azure Virtual WAN
Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
194 questions
0 comments No comments
{count} votes

Accepted answer
  1. KapilAnanth-MSFT 38,201 Reputation points Microsoft Employee

    @prasantc ,

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    Looking at your configuration, it seems to be complex and consisting of multiple hops.

    • You are not recommended to use Azure Routing intent in conjunction with UDRs.
    • To troubleshoot this, we will be required to check every hop, such as VM, Azure Firewall in Core VNET and the VPN Gateway.
    • As you can see, Virtual WAN Hub routing intent with Private Traffic makes sure all Branch-to-Branch traffic goes the Firewall that is deployed in the Vhub
    • With that said, Azure Routing always follows longest prefix match algorithm and User-defined route over system/BGP Routes.

    Now, I believe the traffic path you are expecting is :

    VMinSpoke ---- AzureFirewallInCoreVNET ---- AzureFirewallInVhub ---- vWAN VPN Gateway

    Now, If you want custom NVA set up, you have to use custom route tables

    • You can route traffic from VMinSpoke to AzureFirewallInCoreVNET, and from AzureFirewallInCoreVNET to AzureFirewallInVhub as long as UDRs are correct.
      • You should be able to check this in VM Effective Routes
      • Whatever shows as nextHop is the nextHop for this traffic.
    • However, you must also take care of the return traffic.

    The catch is that you cannot use Routing Intent with custom route tables

    • So, the above cannot be used if you have Routing Intent configured
    • User's image
    • See : Known Limitations

    Hope this clarifies.



0 additional answers

Sort by: Most helpful