Share via

Azure UDR issue - routing between 2 pairs of NVA

Max 41 Reputation points
2022-01-20T21:18:45.18+00:00

Hi Microsoft community,

I have the following challenge. I have hub-spoke architecture with DMZ segmentation. Connectivity to on-premise environment is via ExpressRoute. I have 2x pairs of NVA devices that need to split the DMZ zoning into internal and external. My internal NVA pair is in my hub vnet where the expressRoute is. My external NVA pair is in a separate peered vnet.
I want to setup traffic flows as following:

  • spoke to on-prem via Internal FW
  • spoke to spoke via Internal FW
  • spoke to Internet - via Internal FW and then via External Firewall

For this setup, all spoke UDRs have static route pointing 0.0.0.0/0 to Internal FW LB. The issue I have is that when I receive traffic on the Internal FW from the spoke destined to the Internet, I want to route it to the External FW. This way I can keep internal communication completely isolated. How can I setup the routing on the Internal FW to route Internet destined traffic to the External FW? I could point 0.0.0.0/0 to the External FW, but what about the other routes to on-prem and spoke-to-spoke? I cannot use Virtual network Gateway as a next hop as it is an ExpressRoute. I am afraid 0.0.0.0/0 will override my BGP and vnet peering default Azure routes, so not sure how to overcome this challenge.

Hope someone has faced this challenge before and can advise.

Thanks

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,775 questions
0 comments
Accepted answer
  1. Gergana Duhneva 76 Reputation points
    2022-01-25T16:57:03.357+00:00

    System routes would not be overwritten if you provide 0.0.0.0/0 route to point traffic to the External FW. The way this works is unless you overwrite the system and BGP routes that are already existing in the subnet's default route table (created by Azure), you will basically overwrite jus the default Azure route for the Internet. Internal FW will still be able to reach the peered spokes via the system vnet peering route, and will still be able to reach prefixes advertised via the expressroute. The same way traffic between subnets is allowed unless you create UDR using the subnet's actual prefix to invalidate the default virtual network route.
    This should solve your issue.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.