Azure secured hub with cross tenant Vnet peering

Oldrich Srubar 61 Reputation points
2022-05-16T15:15:49.55+00:00

Hello,

I am facing one challenge in Azure networking and I am really trying to figure it out but without luck at the moment.

I have configured secured virtual hub in vWAN (Virtual WAN + Virtual hub + Azure Firewall). Thing is that there is requirement to configure cross tenant Vnet peering into secured virtual hub. I successfully managed that thanks to this Docs and some code modification:
https://learn.microsoft.com/en-us/azure/virtual-wan/cross-tenant-vnet

Peering above is not possible to configure via Azure portal so everything must be done via PowerShell. After deployment I noticed that Vnet from different tenant was successfully added into virtual network connections in Virtual WAN but I am not able to configure inspection of private traffic via Azure Firewall Manager in Security configuration deployed in this secured hub:
202327-image.png

I wasn't able to find any PS cmdlet which can modify this settings and question is if this is even possible to configure it?

Thank you.

Azure Virtual WAN
Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
186 questions
Azure Firewall Manager
Azure Firewall Manager
An Azure service that provides central network security policy and route management for globally distributed, software-defined perimeters.
82 questions
Accepted answer
  1. GitaraniSharma-MSFT 47,006 Reputation points Microsoft Employee
    2022-07-22T13:33:09.643+00:00

    Hello @Oldrich Srubar ,

    Apologies for the delay in response.

    I understand that you are unable to configure inspection of private traffic via Azure Firewall in Security configuration deployed in your secured hub for the cross tenant peered Vnet.

    I reproduced this issue in my lab and found that this is happening because Propogate RT was set to default in the cross tenant Vnet connection which was bypassing the Azure firewall from virtual hub to the spoke vnet.

    223785-image.png

    I tried setting "Propagate to None" as Yes in the cross tenant Vnet connection but it failed with permission error as below:

    223817-image.png

    223776-image.png

    So, I deleted the cross tenant Vnet connection from portal and created the cross tenant vnet connection again via Azure PowerShell using the "-RoutingConfiguration" parameter as below:

    When connected to the remote/spoke subscription account: 

    $remote = Get-AzVirtualNetwork -Name "remotevnet" -ResourceGroupName "remoterg"

    When connected to the parent/hub subscription account: 

    $rt1 = Get-AzVHubRouteTable -ResourceGroupName "rg1" -VirtualHubName "hub1" -Name "defaultRouteTable"  
$rt2 = Get-AzVHubRouteTable -ResourceGroupName "rg1" -VirtualHubName "hub1" -Name "noneRouteTable"  
$routingconfig = New-AzRoutingConfiguration -AssociatedRouteTable $rt1.Id -Label @("none") -Id @($rt2.Id)  
New-AzVirtualHubVnetConnection -ResourceGroupName "rg1" -VirtualHubName "hub1" -Name "crossconnect" -RemoteVirtualNetwork $remote -RoutingConfiguration $routingconfig

    Refer : https://learn.microsoft.com/en-us/powershell/module/az.network/new-azvirtualhubvnetconnection?view=azps-8.1.0#example-3

    The above commands created the cross tenant vnet connection with Propagate to None option set as Yes and when I checked the Security configuration deployed in my secured hub, I could see the cross tenant Vnet secured via Azure Firewall.

    223862-image.png

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest