Share via

Route all Virtual Gateway P2S traffic through Azure Firewall

Nathan Loika 1 Reputation point
2022-02-08T19:58:01.17+00:00

I'm trying to set up a firewall between a P2S Virtual Gateway connection and the remainder of my Azure network but having trouble figuring out how to set it up.

As a simplified architecture, I have two VNets "hub" and "spoke" and each has a VM in it. I have a Virtual Network Gateway deployed into each one and connected with a V2V gateway connection and BGP enabled. I've configured a P2S connection on the "spoke" gateway and can successfully communicate with the Hub VM from a P2S connected client (traffic flows in all directions and everything is routed properly via BGP).

How can I implement an Azure Firewall such that it restricts all traffic from the P2S VPN to only be able to reach the "hub" VM?

I've been able to set up the Firewall in the Hub and connect through it, but it seems that there's no way to route all P2S traffic through it easily without having very small route prefixes for all possibilities. I thought I could associate a route table with a 0.0.0.0/0 -> Firewall IP route to the spoke GatewaySubnet, but that doesn't work (error). Seems like Virtual WAN has the ability to do this, but that's a big hammer to swing at this configuration.

I've been loosely following https://learn.microsoft.com/en-us/azure/firewall/tutorial-hybrid-portal#create-the-routes

Any pointers are appreciated!

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,416 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
585 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,219 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. SaiKishor-MSFT 17,216 Reputation points
    2022-02-10T21:11:07.717+00:00

    @Nathan Loika Thank you for reaching out to Microsoft Q&A. I understand that you have a Hub and Spoke setup with PS VPN Gateway on the Spoke Vnet and the Hub Vnet has the FW. The Hub and Spoke are connected via V2V Gateway. However, I am unable to understand your requirement. When you say you want to restrict all traffic from P2S VPN to only be able to reach Hub VM, do you mean that you do not want P2S client traffic to access the Spoke Network? In this case, can you setup the P2S VPN GW on the Hub itself?

    Here is an example of the same: Manage secure access to resources in spoke VNets for User VPN clients with Network Diagram as shown below:
    173294-diagram.png

    Please let me know. Thank you!

    0 comments