Azure Firewall and Azure VPN Gateway

Shola Lawani 531 Reputation points Microsoft Employee
2020-11-20T17:49:47.757+00:00

Hello experts,

Quick question here when setting up Azure VPN Gateway for site to site VPN from On-prem to Azure for S2S connectiing and also using Azure FW for network perimeter filtering and inspection from On-prem to Azure.

Now on the Gateway subnet I will set up UDR for the so that traffic coming into Azure will be routed via the firewall. My question is this, since UDR will not be applied to the Azure Firewall, how does Azure Firewall learn about the On-premise routes for traffic going back to On-prem.

Regards,

Shola

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,534 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
662 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. SaiKishor-MSFT 17,231 Reputation points
    2020-11-21T01:09:45.37+00:00

    anonymous user You need to have a routing rule in the FW's subnet route-table pointing traffic for the on-premise to the virtual network gateway. Let me know if this helps. Thank you!

    0 comments No comments

  2. Shola Lawani 531 Reputation points Microsoft Employee
    2020-11-21T01:20:34.797+00:00

    Hi Saikishor,

    @SaiKishor-MSFT Thanks for the response...so if I understand what you are saying...a UDR will be attached to the Azure FW subnet with a next hop of "Virtual Network Gateway" to route traffic to back to on-premise.

    So the question is this in an hub and spoke where in we have UDR attached to the spoke that routes traffic back the On-prem network address via the FW...doesn't it make it redundant to have a UDR attached to the FW subnet?

    Finally, does the on-prem addresses propagates automatically to the Azure FW subnet?


  3. Shola Lawani 531 Reputation points Microsoft Employee
    2020-11-21T02:26:11.357+00:00

    @SaiKishor-MSFT thanks for the response
    Quick question here you mentioned "If you are not using BGP for the S-S VPN, you will need to add the route manually to the route table."

    From the above, Am I correct to say this route are part of the VPN Local Network Gateway if the S-S VPN set up doesn't use BGP? and these routes should be automatically part of the default system routes for even the Azure Firewall Subnet?
    Also, just confirm the flow of traffic here based on the Azure Firewall UDR

    Traffic from On-prem to Azure
    On-prem->VPN Gateway->UDR->Azure FW->Azure Vnet

    Traffic from Azure to On-Prem
    Azure Vnet->UDR->Azure FW->UDR->VPNGateway->On-prem VNet

    Thanks


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.