Filter P2S traffic through Azure Firewall to spokes

Cloudy 126 Reputation points

Hello !

I'm trying to force all the P2S traffic through azureFirewall to be able to reach spokes vnets.

I have the following topology :

  • 1 hub vnet ( 2 subnets (GatewaySubnet ( AzureFirewallSubnet( with one vpn gateway deployed and an AzureFirewall
  • 1 spoke vnet ( one subnet (one ubuntu vm connected to that subnet)
  • AzureFirewall private ip address :
  • P2S pool :
  • 1 UDR associated to the GatewaySubnet with the following routes

--> next hop (AzureFirewall)
--> next hop (AzureFirewall)

  • 1 UDR associated to the spoke vnet with the following route:

--> next hop (AzureFirewall)

I set on the firewall an network roule with Any to Any allow (for debug purposes).

When connected by using P2S, i'm not able to connect to the vm inside the spoke vnet using ssh and nothing shown in firewall logs.
When disassociating the UDR on the GatewaySubnet, i'm able to ssh the vm.

I'm not able to understand why nothing related to ssh is visible on the firewall logs.
The behavior is exactly the same by using a virtual wan (and for cost purposes, vWan is not possible in my case).

ANy help appreciated

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
978 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
398 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Cloudy 126 Reputation points

    Dear @GitaraniSharma-MSFT ,

    I finally make it working by playing with the UDR :)

    Thanks for your help!