Azure Firewall & VPN/ExpressRoute UDRs

mr58 41 Reputation points
2022-05-12T22:54:51.283+00:00

Hi all,

I have a customer who has an Azure environment in place, and I'm coming in to provide an assessment and guidance on their future Azure architecture. They have a hybrid configuration where their connecting multiple on-premise data centers to an Azure hub network connected via S2S VPN with a third party NVA. I have not seen their environment yet as this is illustrated in some network diagrams we received from them although it looks like they've followed best practices overall.

From a design perspective, they currently have a production and disaster recovery data center whereas in Azure they only have a presence in East US. So I'm going into this engagement with the impression they'll likely want a second presence which I'd suggest West US since that'll be the peered region for East US.

I'm doing some research on how to best approach their networking configuration moving forward. Since the goal is to move most of their workloads to Azure, and I'm assuming they'll need some on-premise network connectivity initially, I'd recommend deploying an ExpressRoute as I'm of the impression the S2S VPN works but I wouldn't bet my job on it from a stability perspective.

My thoughts are, if they aren't doing this already, they should have UDRs setup to route all traffic from hub and spoke VNETs point to NVA or Azure Firewall for inbound and outbound internet connectivity.

My question is what's the best practice when it comes to routing traffic coming from one of their data centers to a virtual machine in Azure? From what I'm reading, ExpressRoute doesn't play nice with providing a 0.0.0.0/0 route to the next hop being an Azure Firewall. My thoughts are any traffic that originates from a machine in Azure goes to the firewall and then the internet. If there's a machine that lives in the datacenter then it should go through whatever network infrastructure is in place and out the firewall there. Ideally, if a machine from on-premises needs to connect to a machine in Azure, the traffic will flow through the firewall and vice versa.

Does anyone have any experience with UDRs, Azure Firewall, and ExpressRoute that they could share in a scenario like this? Thanks!

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
666 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,453 questions
Azure ExpressRoute
Azure ExpressRoute
An Azure service that provides private connections between Azure datacenters and infrastructure, either on premises or in a colocation environment.
377 questions
0 comments No comments
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 49,601 Reputation points Microsoft Employee
    2022-05-16T11:11:13.98+00:00

    Hello @mr58 ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like to implement ExpressRoute connectivity between Azure and your customer's on-premises along with an Azure Firewall deployed in Azure which should inspect the to and fro traffic between Azure and on-premises. Please correct me if my understanding is incorrect.

    For On-premise to Azure traffic:

    • GatewaySubnet do not support 0.0.0.0/0 UDRs but it supports UDRs with other address prefixes.
    • Hence, you can add a UDR to the ExpressRoute GatewaySubnet with the address prefix of your Vnet range with next hop type Virtual Appliance and IP address of your Azure firewall. This will make sure that any traffic that comes from your on-premises for your Azure Vnet range, when reaches your ExpressRoute gateway will be forwarded to the firewall for scanning.

    NOTE : Propagate gateway routes should be set to "Enabled" on the GatewaySubnet to ensure availability of the gateway and to propagate your on-premises routes to the network interfaces in the subnet.

    For example : If your Vnet address range is 10.0.0.0/16 then you can add a UDR to your ExpressRoute GatewaySubnet as below:
    Address prefix : 10.0.0.0/16 --> Next hop = Virtual Appliance --> Next hop = IP address of Azure Firewall
    So the routing from On-prem to Azure will go as below:
    On-premises --> ExpressRoute gateway --> Azure firewall --> All subnets.

    Return Azure to On-premise traffic:

    Advertise a default route of 0.0.0.0/0 via BGP from your on-premises to Azure, so that all your Azure traffic is sent to your on-premises via the ExpressRoute circuit.
    To filter all the traffic going out of Azure by the firewall, you can add a UDR with 0.0.0.0/0 on all the subnets (except the Firewall subnet) with next hop as your Azure Firewall.
    This setup will take care of the routing from Azure to on-prem which will go as below:
    All subnets --> Azure firewall --> ExpressRoute gateway --> On-premises.

    When outbound traffic is sent from a subnet, Azure selects a route based on the destination IP address, using the longest prefix match algorithm. If multiple routes contain the same address prefix, Azure selects the route type, based on the following priority:
    User-defined route > BGP route > System route
    User-defined routes are higher priority than BGP & default routes.
    Refer : https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview#how-azure-selects-a-route

    NOTE : Azure Firewall must have direct Internet connectivity. If your AzureFirewallSubnet learns a default route to your on-premises network via BGP, you must override this with a 0.0.0.0/0 UDR with the NextHopType value set as Internet to maintain direct Internet connectivity or stop advertising the default route from on-prem. Post this you can filter the outbound traffic within the Azure Firewall according to your needs by configuring network rules.
    Refer : https://learn.microsoft.com/en-us/azure/firewall/firewall-faq#is-forced-tunneling-chaining-to-a-network-virtual-appliance-supported

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    2 people found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.