Route traffic through multiple Azure FWs in different Vnet

Question

Hello,

i have a question about routing traffic through two Azure firewall in different Virtual network(Vnets) in different regrions. Also, both Firewalls and Vnets are in different regions. If there is a hub-Vnet with Az FW and a spoke-Vnet with Az FW. Is it possible that you can rout traffic from Az-FW in Spoke to Az-FW in Hub then to internet so that the traffic are going through both Az Firewalls? if yes, how could man configure the routing table and both Az FWs (my conideration may be through UDR or other solution!)?

Thank you in advance,

Answer 1

Hi @Mohamed Elashkr ,

I would suggest to use UDR to get this requirement done.
We have used UDR for almost the same network topology with success. Because of network topology complexity we disabled BGP and created all routes manually.

----------

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

Answer 2

Hi mohamedelashkr-4024,

It is possible to simplify the routing by using the UDR. Is there a specific requirement for the firewall to remain on the spoke VNET?

Option1: Spoke VNET- AZFW <--> HUB VNET AZFW - All Traffic via AZFW1 and AZFW2 - Use UDR.

Option2: Spoke VNET <----> HUB VNET AZFW - Use the UDR -> default route towards AZFW for the Internet. VNET traffic without AZFW.

Option3: Spoke VNET <---> HUB VNET AZFW - ALL traffic via the AZFW - Use UDR.

Answer 3

Hi @Somnath Kumar ,

thank you for a quick replay and clear diagram!

The design looks good and for me is not clear one thing, if the request is coming from internet to Hub VM(this VM maybe in subnet, and in my Case it is an Azure Application Gateway), then UDR of this Subnet would forward the traffic to Az-FW2 in Hub. And every Azure FW "AzFW2" and "AZFW1" would be deployed in AzureFirewallSubnet(as expected).

The open question for me, would AzFW2 (in his Subnet) really route the incoming traffic from Hub-VM to AZFW1(in his subnet)? if yes, would AZFW1 forward the Traffic to TEST VM?
Please, could you clear, how will the Hub VM route the traffic to AZFW2 then to AZFW1 and then to TEST VM(there are to Stations FWs in between)? and how would you configure both Az-FWs so that the traffic is working well between them?

Thank you in Advance,

Answer 4

Hi mohamedelashkr-4024,

how will the Hub VM route the traffic to AZFW2 then to AZFW1 and then to TEST VM(there are to Stations FWs in between)? and how would you configure both Az-FWs so that the traffic is working well between them?

In my lab environment, I have 2 AZFW's (SKU: standard with firewall policy - force tunnel enabled).

Traffic flow: Test VM -> AZFW1 -> AZFW2 -> Hub VM

The subnet of the test VM contains a UDR for the hub VM, which points to AZFW1. The NSG rule allows traffic to reach the hub VM

AZFW1 has 2 subnets : AzureFirewallSubnet and AzureFirewallManagementSubnet. A UDR is attached (for HUB VM address prefix) to AzureFirewallSubnet, which points to AZFW2 (there is no UDR attached to AzureFirewallManagementSubnet). This traffic is allowed by AZFW1's network rule.

AZFW2 has 2 subnets: AzureFirewallSubnet and AzureFirewallManagementSubnet. There is a UDR attached to AzureFirewallSubnet (Test VM address prefix) which forwards traffic to AZFW1. This traffic is allowed by AZFW2's network rule.

This traffic is directed towards AZFW2 by the UDR on Hub VM, and it is allowed by the NSG rule.

I hope this helps. You can follow this article if you would like to keep the application gateway behind the AZFW.

https://learn.microsoft.com/en-us/azure/architecture/example-scenario/gateway/firewall-application-gateway