VNET Peering > Hub > Spoke and Azure Firewall

Question

VNET Peering > Hub > Spoke and Azure Firewall

ZTS 20

Hi,

Inquiry on Hub - Spoke Peering with Azure Firewall in Spoke subscription. Please advise how to configure the routing in Hub and Spoke with Azure Firewall in spoke. In addition, hub has a site to site VPN to on-premise.

Thanks,

Ganesh Patapati 4,325 Reputation points Microsoft External Staff

2025-02-17T11:42:39.24+00:00
Hi Zero Trust Solutions

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

In addition to the solution provided above by Luis Arias, I wanted to add a few more details.

Unless the Spoke (with Firewall) is peered to other Spoke VNets, we cannot have transit connectivity.

We recommend deploying an Azure Firewall in the hub VNet as per the documentation below.

Refer: https://learn.microsoft.com/en-us/azure/virtual-network-manager/how-to-deploy-hub-spoke-topology-with-azure-firewall

I hope this helps!

If above is unclear and/or you are unsure about something add a comment below.
ZTS 20 Reputation points

2025-02-18T06:04:34.8166667+00:00

Hi NSFT Team,

Any advise on this?

Thanks,
Ganesh Patapati 4,325 Reputation points Microsoft External Staff

2025-02-18T09:51:21.6+00:00
Hello Zero Trust Solutions

As I mentioned in the above,

Unless the Spoke (with Firewall) is peered to other Spoke VNets, we cannot have transit connectivity.

The only possible solution to achieve this setup.

We recommend deploying an Azure Firewall in the hub VNet as per the documentation below.

Refer: https://learn.microsoft.com/en-us/azure/virtual-network-manager/how-to-deploy-hub-spoke-topology-with-azure-firewall

I hope this helps!

Should there be any follow-up questions or concerns, please let us know and we shall try to address them.
ZTS 20 Reputation points

2025-02-18T11:50:33.8733333+00:00

Hi Ganesh, thanks for the advise. Yes, the requirement is the Azure Firewall is in the SPOKE. But in the design you provided, it is currently in the hub. The Spoke has another spoke (application subscriptions). Is this achievable? Why transit connectivity can not be achieve?

If not, what would be the alternative solution aside from putting the AFW in the hub?
ZTS 20 Reputation points

2025-02-19T06:46:46.13+00:00

This is confirmed limitation? What would be the configuration if peered SPOKE2 to SPOKE 1? SPOKE 2 should use gateway transit in hub or in SPOKE1?
Ganesh Patapati 4,325 Reputation points Microsoft External Staff

2025-02-19T09:54:02.7266667+00:00
@Zero Trust Solutions

Yes, this is a confirmed limitation.

SPOKE2 should be configured to use the gateway transit in the hub rather than in SPOKE1. This allows SPOKE2 to leverage the VPN gateway in the hub for connectivity.

I hope this has been helpful!

If above is unclear and/or you are unsure about something add a comment below.

Your feedback is important so please take a moment to accept answers. If you still have questions, please let us know what is needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Accepted answer

1 additional answer

Your answer

Ganesh Patapati 4,325 Reputation points Microsoft External Staff

2025-02-17T11:42:39.24+00:00

Hi Zero Trust Solutions

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

In addition to the solution provided above by Luis Arias, I wanted to add a few more details.

Unless the Spoke (with Firewall) is peered to other Spoke VNets, we cannot have transit connectivity.

We recommend deploying an Azure Firewall in the hub VNet as per the documentation below.

Refer: https://learn.microsoft.com/en-us/azure/virtual-network-manager/how-to-deploy-hub-spoke-topology-with-azure-firewall

I hope this helps!

If above is unclear and/or you are unsure about something add a comment below.
ZTS 20 Reputation points

2025-02-18T06:04:34.8166667+00:00

Hi NSFT Team,

Any advise on this?

Thanks,
Ganesh Patapati 4,325 Reputation points Microsoft External Staff

2025-02-18T09:51:21.6+00:00

Hello Zero Trust Solutions

As I mentioned in the above,

Unless the Spoke (with Firewall) is peered to other Spoke VNets, we cannot have transit connectivity.

The only possible solution to achieve this setup.

We recommend deploying an Azure Firewall in the hub VNet as per the documentation below.

Refer: https://learn.microsoft.com/en-us/azure/virtual-network-manager/how-to-deploy-hub-spoke-topology-with-azure-firewall

I hope this helps!

Should there be any follow-up questions or concerns, please let us know and we shall try to address them.
ZTS 20 Reputation points

2025-02-18T11:50:33.8733333+00:00

Hi Ganesh, thanks for the advise. Yes, the requirement is the Azure Firewall is in the SPOKE. But in the design you provided, it is currently in the hub. The Spoke has another spoke (application subscriptions). Is this achievable? Why transit connectivity can not be achieve?

If not, what would be the alternative solution aside from putting the AFW in the hub?
ZTS 20 Reputation points

2025-02-19T06:46:46.13+00:00

This is confirmed limitation? What would be the configuration if peered SPOKE2 to SPOKE 1? SPOKE 2 should use gateway transit in hub or in SPOKE1?
Ganesh Patapati 4,325 Reputation points Microsoft External Staff

2025-02-19T09:54:02.7266667+00:00

@Zero Trust Solutions

Yes, this is a confirmed limitation.

SPOKE2 should be configured to use the gateway transit in the hub rather than in SPOKE1. This allows SPOKE2 to leverage the VPN gateway in the hub for connectivity.

I hope this has been helpful!

If above is unclear and/or you are unsure about something add a comment below.

Your feedback is important so please take a moment to accept answers. If you still have questions, please let us know what is needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Answer 1

Ganesh Patapati 4,325 Microsoft External Staff

@Zero Trust Solutions

In a traditional hub-and-spoke model, spokes cannot communicate directly with each other unless routed through the hub.

for, Transit connectivity cannot be achieved as per the documentation.

Refer: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq#if-i-peer-vneta-to-vnetb-and-i-peer-vnetb-to-vnetc-does-that-mean-vneta-and-vnetc-are-peered

Another possible solution,

Implementing Azure Virtual WAN can facilitate transitive connectivity between spokes without needing to route traffic through the hub. This service allows for any-to-any connectivity.

Refer: https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about

Refer: https://learn.microsoft.com/en-us/azure/architecture/networking/architecture/hub-spoke-vwan-architecture

Refer: https://learn.microsoft.com/en-us/azure/virtual-wan/scenario-route-through-nvas-custom

Refer: https://learn.microsoft.com/en-us/azure/virtual-wan/scenario-route-through-nva

I hope this has been helpful!

If above is unclear and/or you are unsure about something add a comment below.

Your feedback is important so please take a moment to accept answers. If you still have questions, please let us know what is needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

ZTS 20 Reputation points

2025-02-20T12:49:28.56+00:00

If there is an Azure Firewall in VNET B, it is possible to communicate to VNET 3 and VNET 3 route AZFW in VNET 2 and reach VNET 1?
Ganesh Patapati 4,325 Reputation points Microsoft External Staff

2025-02-20T16:40:49.1266667+00:00

Hello Zero Trust Solutions

Thanks for the reply!

Communication is not possible as per the document From VNET 1 to VNET 3 via VNET B (Azure Firewall).

As I mentioned earlier, it is not possible because transitive peering is not supported.

NOTE: Communication is only possible when there is a direct peering from VNET 1 to VNET 2 & VNET 2 to VNET B (FW) & VNET B to VNET 3.

Vnet 2 to Vnet 3 with UDR through Vnet B (Azure firewall) as a hub will work.

I hope this has been helpful!

If above is unclear and/or you are unsure about something add a comment below.

Your feedback is important so please take a moment to accept answers. If you still have questions, please let us know what is needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Answer 2

Hello Zero Trust Solutions,

Let me share you a small digram of what you want to configure: User's image

So here my suggestions to configure routing in a Hub-Spoke topology with Azure Firewall in the spoke subscription including the s2S VPN:

Deploy Azure Firewall in the Spoke VNet:
- Ensure that the Azure Firewall is deployed in the designated subnet within the spoke VNet.
Peer the Hub and Spoke VNets:
- Establish VNet peering between the hub VNet and the spoke VNet to allow communication between the two networks.
Create User Defined Routes (UDRs) in the Spoke VNet:
- Set up UDRs in the spoke subnets to direct traffic to the Azure Firewall. This ensures that all outbound traffic from the spokes goes through the firewall for inspection and security.
- Example Route:
  - Destination: 0.0.0.0/0
  - Next hop type: Virtual Appliance
  - Next hop address: IP address of the Azure Firewall
Update Route Table in the Hub VNet:
- Configure the route table in the hub VNet to direct traffic destined for on-premises to the Azure Firewall.
- Example Route:
  - Destination: On-premises IP range
  - Next hop type: Virtual Network Gateway
Configure Site-to-Site VPN:
- Ensure that the site-to-site VPN is properly configured to connect the hub VNet to the on-premises network.
Create UDRs for Ingress Traffic from On-Premises to Spoke VNet:
- Set up UDRs in the hub subnet to direct traffic arriving from on-premises to the spoke VNet.
- Example Route:
  - Destination: Spoke VNet IP range
  - Next hop type: Virtual Network Gateway
Configure Azure Firewall Rules:
- Define appropriate network rules, NAT rules, and application rules in the Azure Firewall to control and manage traffic.
- Network Rules: Allow or deny network traffic based on IP addresses and ports.
- NAT Rules: Configure inbound and outbound Network Address Translation.
- Application Rules: Control outbound internet traffic based on fully qualified domain names (FQDNs).

Additional references:

If the information helped address your question, please Accept the answer.

Luis

Share via

VNET Peering > Hub > Spoke and Azure Firewall

1 additional answer

Your answer