Routing Configuration for Connecting External Network to Azure via NVA and Azure Firewall

Question

Routing Configuration for Connecting External Network to Azure via NVA and Azure Firewall

Roshan Roy 0

Hi There,
I have a requirement to connect an external network to the Azure infrastructure via a Network Virtual Appliance (NVA). The NVA contains an external subnet, which needs to be connected to Azure resources, as well as other resources connected via ExpressRoute and the Azure VPN Gateway. All production VNets point to the Azure Firewall as their default route.

topology

As I understand it, two route table entries are required for this setup:

The first route table should be attached to the NVA subnet, with a default route pointing towards the Azure Firewall.
The second route table should be attached to the Azure Firewall subnet, with routes for the external networks received via the NVA.

Please correct me if my approach is wrong

Thanks in Advance

Silvia Wibowo 6,041 Reputation points Microsoft Employee Volunteer Moderator

2024-11-28T05:00:23.25+00:00
Hi @Roshan Roy , please clarify:

What is this NVA - is it a 3rd party Firewall, SD-WAN router, or something else? What does it suppose to do?

Is the NVA in the same vnet as Azure Firewall?

What's the route you're trying to achieve:

Inbound: internet -> NVA -> Azure Firewall -> Production vnet,

Outbound: Production vnet -> Azure Firewall -> NVA -> internet,

Or something else?

How does Express Route and VPN get involved?

1 answer

Your answer

Silvia Wibowo 6,041 Reputation points Microsoft Employee Volunteer Moderator

2024-11-28T05:00:23.25+00:00

Hi @Roshan Roy , please clarify:

What is this NVA - is it a 3rd party Firewall, SD-WAN router, or something else? What does it suppose to do?

Is the NVA in the same vnet as Azure Firewall?

What's the route you're trying to achieve:

Inbound: internet -> NVA -> Azure Firewall -> Production vnet,

Outbound: Production vnet -> Azure Firewall -> NVA -> internet,

Or something else?

How does Express Route and VPN get involved?

Answer 1

@Roshan Roy ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to use a 3rd party NVA to connect Azure VNET (along with Networks connected via VPN and ExR).

Since this is a 3rd party NVA, I would suggest you check with their documentations/support to get more clarity.

With that said,

Assuming the NVA has 2 NICs in 2 subnets,
- Ideally, the externalSubnet should be the one exposed to the Internet - i.e., it should be the one connecting the External Network
- And the internalSubnet/NVASubnet should be the receiving and sending traffic to the Azure VNET (VPN and ExR).
- The internal <-> external NIC should be handled by the OS
Terminology wise, the above is preferred and used.

Wrt Routing,

On the AzureFirewallSubnet, you should have a route pointing the external network's address space to the NVA
On the NVA's internalSubnet/NVASubnet, you should have a route pointing the Azure VNET (VPN and ExR) 's address space to the Azure Firewall
- You mentioned "default" route in your verbatim
- But please use specific routes/address spaces.
Note that the above is only valid as long as all other subnets have a route table attached pointing all traffic to the Azure Firewall.

You can use this as a reference : Use Azure Firewall to route a multi hub and spoke topology

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Share via

Routing Configuration for Connecting External Network to Azure via NVA and Azure Firewall

1 answer

Your answer