Firewall traffic

Question

Hi all,

I have a simple environment, 2 subscriptions which are peered together, one subscription has a S2S connection to on-premise. I would like to introduce an Azure firewall and would like to know if the following is possible. Only traffic between on-premise and Azure need to go via the Azure firewall, Traffic from Azure to the wider internet need to go via the firewall and then directly out to the internet, it does not need to transverse the S2S link to on-premise. I have looked at forced tunnelling, but this would force all traffic including Azure to internet via the S2S link which I don't want.
I can create a default UDR with 0.0.0.0/0 to the firewall which solves the Azure to internet issue, however Azure to on-premise still goes directly to the gateway and out over the S2S and bypasses the firewall.

Answer 1

@alancurtis

If I understand you correctly, you want all traffic to be forwarded to Azure FW and then from there, all internet bound traffic needs to go to internet directly and traffic to on-premise(192.168.1.0/24) should only go to Azure VPN GW. Please correct me otherwise.

To do this, as you mentioned, you can forward all traffic to Azure Firewall subnet by adding a 0.0.0.0/0 route with next hop of Azure FW(please make sure route propagation from the VPN is disabled on this VMs route table). The Azure firewall subnet should have a separate route table with a route for internet directly and a route for on-premises network to the Azure VPN GW(this route table can have route propagation enabled form the S2S VPN which can dynamically update the BGP routes to the Az FW subnets route table).
Here is a document that explains how routing is done in virtual network for more details. Hope this helps.

If you have any questions/concerns, please let me know and I can assist you further. Thank you!