This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 6%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EST%3C/text%3E%3C/svg%3E)
Can you tell us how to configure multiple-spoke virtual networks in Azure Firewall when you adopt a hub-spoke network topology in Azure?
Hello @GitaraniSharma-MSFT ,
Thank you very much.
The information in the answer was helpful. It was also helpful for the link guidance.
Hello @清水隆宏 / SHIMIZU,TAKAHIRO ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
In order to setup a Hub and Spoke architecture with an Azure Firewall, you will have to:
If you have a site to site connection using VPN gateway between Azure and your on-premises and need the traffic to go through Azure Firewall, then for the spokes to use the hub gateway to communicate with remote networks, you must create a UDR on the hub gateway subnet pointing to the firewall IP address as the next hop and configure the below options in the Hub-spoke Vnet peering:
Here are a few docs of Hub and Spoke architectures with Azure Firewall for your reference :
https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli
https://learn.microsoft.com/en-us/azure/firewall/tutorial-hybrid-ps
https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/hub-spoke-network-topology
Kindly let us know if the above helps or you need further assistance on this issue.
----------------------------------------------------------------------------------------------------------------
Please "Accept the answer" below if the information helped you. This will help us and others in the community as well.
Hi, @GitaraniSharma-MSFT Does Azure Firewall works across different subscription?
Hello @EnterpriseArchitect ,
Yes, Azure Firewall works across different subscriptions.
You can deploy Azure Firewall on any virtual network, but customers typically deploy it on a central virtual network and peer other virtual networks to it in a hub-and-spoke model. You can then set the default route from the peered virtual networks to point to this central firewall virtual network. The advantage of this model is the ability to centrally exert control on multiple spoke VNETs across different subscriptions. There are also cost savings as you don't need to deploy a firewall in each VNet separately.
Regards,
Gita
That's great, thanks, Gita.
Hi @GitaraniSharma-MSFT Does the Azure Firewall is required or can be deployed when the Web Application or Kubernetes/Containerized apps is deployed behind Azure Application Gateway (WAF - Web Application Firewall) ?
Hello @EnterpriseArchitect ,
Yes, Azure Firewall can be deployed with WAF/Azure application gateway to secure Azure application workloads.
I've answered your query in detail on your post : https://learn.microsoft.com/en-us/answers/questions/774683/index.html
Let us continue the discussion on that post. :)
Regards,
Gita