Hello @mr58 ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you would like to implement ExpressRoute connectivity between Azure and your customer's on-premises along with an Azure Firewall deployed in Azure which should inspect the to and fro traffic between Azure and on-premises. Please correct me if my understanding is incorrect.
For On-premise to Azure traffic:
- GatewaySubnet do not support 0.0.0.0/0 UDRs but it supports UDRs with other address prefixes.
- Hence, you can add a UDR to the ExpressRoute GatewaySubnet with the address prefix of your Vnet range with next hop type Virtual Appliance and IP address of your Azure firewall. This will make sure that any traffic that comes from your on-premises for your Azure Vnet range, when reaches your ExpressRoute gateway will be forwarded to the firewall for scanning.
NOTE : Propagate gateway routes should be set to "Enabled" on the GatewaySubnet to ensure availability of the gateway and to propagate your on-premises routes to the network interfaces in the subnet.
For example : If your Vnet address range is 10.0.0.0/16 then you can add a UDR to your ExpressRoute GatewaySubnet as below:
Address prefix : 10.0.0.0/16 --> Next hop = Virtual Appliance --> Next hop = IP address of Azure Firewall
So the routing from On-prem to Azure will go as below:
On-premises --> ExpressRoute gateway --> Azure firewall --> All subnets.
Return Azure to On-premise traffic:
Advertise a default route of 0.0.0.0/0 via BGP from your on-premises to Azure, so that all your Azure traffic is sent to your on-premises via the ExpressRoute circuit.
To filter all the traffic going out of Azure by the firewall, you can add a UDR with 0.0.0.0/0 on all the subnets (except the Firewall subnet) with next hop as your Azure Firewall.
This setup will take care of the routing from Azure to on-prem which will go as below:
All subnets --> Azure firewall --> ExpressRoute gateway --> On-premises.
When outbound traffic is sent from a subnet, Azure selects a route based on the destination IP address, using the longest prefix match algorithm. If multiple routes contain the same address prefix, Azure selects the route type, based on the following priority:
User-defined route > BGP route > System route
User-defined routes are higher priority than BGP & default routes.
Refer : https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview#how-azure-selects-a-route
NOTE : Azure Firewall must have direct Internet connectivity. If your AzureFirewallSubnet learns a default route to your on-premises network via BGP, you must override this with a 0.0.0.0/0 UDR with the NextHopType value set as Internet to maintain direct Internet connectivity or stop advertising the default route from on-prem. Post this you can filter the outbound traffic within the Azure Firewall according to your needs by configuring network rules.
Refer : https://learn.microsoft.com/en-us/azure/firewall/firewall-faq#is-forced-tunneling-chaining-to-a-network-virtual-appliance-supported
Kindly let us know if the above helps or you need further assistance on this issue.
----------------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.