![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 62%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERA%3C/text%3E%3C/svg%3E)
Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
260 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 36%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGS%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 82%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVV%3C/text%3E%3C/svg%3E)
Hello Raj A,
Thank you for posting your question in the Microsoft Q&A forum.
To configure an Azure VM in a spoke network to access a partner's on-premises server via a Cisco SD-WAN site-to-site VPN with FTDv, begin by ensuring proper network topology: deploy the Cisco FTDv firewall in the hub VNet and establish VNet peering with gateway transit enabled to the spoke. Configure the FTDv with an IPSec VPN tunnel matching the partner's SD-WAN policies, including IKEv2 parameters, crypto maps, and proper route propagation either via static routes or BGP through Azure Route Server. Implement user-defined routes (UDRs) in the spoke VNet to direct partner-bound traffic to the FTDv’s private IP, and verify NSG rules allow this flow.
Network Topology & Prerequisites
- Hub VNet (Azure): Hosts the Cisco FTDv firewall (Azure Marketplace VM).
- Spoke VNet (Azure): Contains the VM that needs partner access (peered with Hub).
- Cisco SD-WAN (On-Prem): Connects to FTDv via IPSec VPN.
- Partner Network: Accessed via the SD-WAN tunnel.
Prerequisites:
- Cisco FTDv deployed in Hub VNet (with VPN configured to SD-WAN).
- Hub-Spoke VNet peering (with gateway transit enabled).
- Azure Route Server (optional, for dynamic routing with BGP).
Test connectivity from the spoke VM while monitoring VPN status on the FTDv and Azure’s effective routes.
Test Connectivity
- From the spoke VM, traceroute to the partner’s server.
- Verify VPN status on FTDv (show vpn-sessiondb).
- Check Azure effective routes for the spoke VM’s NIC.
For security, enable logging via NSG flow logs and FTDv syslog, and consider high availability with active/standby FTDv deployments. If challenges persist, validate IKE policy alignment, UDR application, and packet paths using FTDv diagnostics.
Security Considerations
- Azure Firewall/NVA Inspection: If needed, route traffic via an additional firewall.
- Logging: Enable NSG flow logs and FTDv syslog to monitor traffic.
- High Availability: Deploy FTDv in active/standby with Azure Load Balancer.
For large-scale deployments, Azure Virtual WAN or ExpressRoute may offer more robust alternatives. Always refer to Cisco’s Azure deployment guides and Microsoft’s Route Server documentation for implementation specifics.
If the above answer helped, please do not forget to "Accept Answer" as this may help other community members to refer the info if facing a similar issue. Your contribution to the Microsoft Q&A community is highly appreciated.