Info about custom routing and UDRs with Azure Firewall and VPN gateway transit in a hub & spoke model

Denis Dal Molin 51 Reputation points
2022-09-30T20:48:27.893+00:00

Hi everyone,
I have configured an architecture in my lab as follows:

246538-mwtraa5hfc.png

From the left in the hub network I deployed an Azure Firewall because all traffic must go through.
The hub network on the right is on another Subscription, specifically it is an Azure virtual hub.

Next I created two route tables:

  1. one connected to the GatewaySubnet
  2. one connected to the subnet in the spoke vnet that is peered with hub network

In the peering configuration between the vnets, the transit gateway option has been enabled.
The vnet-to-vnet connection was configured with BGP enabled. In such a connection, network traffic will flow into the Microsoft backbone network.

Traffic flow works in both configurations:

  1. with UDRs required to get traffic through the Azure firewall
  2. without the UDRs

In the example above I configured the two route table as follows:

246596-o7pyj1bqii.png

246613-aoid7mrlxg.png

In the two routing tables I disabled the option propagate gateway routes.

I checked the flow and hops with network watcher and everything looks correct as desired:

246633-vzjim7iysa.png

Since I can't control the default routes in the subnet, I can't figure out how the Azure firewall knows how to route the traffic.
I thought the Azure firewall didn't act as routing but only did packet filtering and other checks.

I thank in advance those who will help me clarify this doubt.

Azure Virtual WAN
Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
197 questions
Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,436 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
600 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,268 questions
Azure Network Watcher
Azure Network Watcher
An Azure service that is used to monitor, diagnose, and gain insights into network performance and health.
161 questions
0 comments
Accepted answer
  1. KapilAnanth-MSFT 39,461 Reputation points Microsoft Employee
    2022-10-03T04:16:43.323+00:00

    Hi @Denis Dal Molin ,

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
    I understand that you would like to understand more about packet routing feature of Azure Firewall.

    Azure Firewall, can indeed do packet routing, just like any other NVA.

    You can consider the "Block/allow" action of Azure Firewall something like NSG and not UDR.
    This means, Azure Firewall will always learn the routes of Spoke VNets and OnPremises' address ranges (just like any other VM in the Hub Vnet would).
    As long as there is an allow rule for Spoke VNets' traffic, packets are not dropped and routed accordingly.

    P.S : You can use the above behavior of Azure Firewall to achieve transit routing between two Spoke VNets.

    Now, in your case, with UDR

    Consider a VM in Spoke (Left)

    • You have a route table with 0.0.0.0/0 --------> Azure Firewall with Propagate Gateway routes disabled.
    • So, any traffic (other than that destined to Hub) will go to the Firewall
    • Now, there is no route table in Firewall
    • So, Firewall would know that next hop as Gateway
    • And from Gateway, the packet goes via Vnet-to-Vnet connection

    Consider a VM in Spoke/Hub (Right)

    • Any traffic destined to left goes via vHub.
    • And from vHub, the packet goes via Vnet-to-Vnet connection and reached the Gateway to the left
    • You have a route table with Left VNets (10.2.0.0/23) --------> Azure Firewall with Propagate Gateway routes disabled.
    • So, any traffic destined to 10.2.0.0/23 will go to the Firewall
    • Now, there is no route table in Firewall
    • So, Firewall would know that next hop Spoke VNet by "default routes" learnt from Peering.

    Without UDR

    • Both To and Fro traffic would skip the Azure Firewall if you do not have a route table in Spoke VNet and Gateway Subnet
    • But traffic is still allowed

    I hope this helps.
    In case my understanding of your question is incorrect, please do let me know and I shall try to address your concern.

    Cheers,
    Kapil

    ----------------------------------------------------------------------------------------------------------------

    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest