How to connect my Azure firewall with VPN gateway

Deepaklal-FT 66 Reputation points
2023-02-06T08:53:54.92+00:00

I have a VPN gateway configured in Azure to redirect an external call via that.

I wanted to redirect continue this redirection which requires Azure firewall filtration too.

Now my VM is call a URL call https://abcd.xyz.com/asd/ , this is resolving to and IP, 123.34.56.789. This traffic is going smooth via vpn gateway. How can I include Firewall in between this communication or egress call.

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,435 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
599 questions
Azure ISV (Independent Software Vendors) and Startups
Azure ISV (Independent Software Vendors) and Startups
Azure: A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.ISV (Independent Software Vendors) and Startups: A Microsoft program that helps customers adopt Microsoft Cloud solutions and drive user adoption.
91 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. GitaraniSharma-MSFT 49,256 Reputation points Microsoft Employee
    2023-02-07T13:51:44.4366667+00:00

    Hello @Deepaklal-FT ,

    Thank you sharing the requested details.

    I understand that you have a site-to-site connection between 2 Azure Vnets and a VM from one of the Vnets is accessing an external URL https://abcd.xyz.com/asd/ which you would like to send through Azure Firewall and not directly.

    You can use the same configuration as mentioned in the below doc with a few modifications:

    https://video2.skills-academy.com/en-us/azure/firewall/tutorial-hybrid-portal-policy

    You deploy the Azure Firewall in your Vnet where the VM access the URL https://abcd.xyz.com/asd/. Since Azure Firewall requires its own dedicated subnet called "AzureFirewallSubnet", it will be deployed in a separate subnet from the VM subnet as below:

    User's image

    Refer: https://video2.skills-academy.com/en-us/azure/firewall/tutorial-firewall-deploy-portal

    Now, you will have the Vnet where Azure Firewall and VM accessing the external URL are present and it is already connected to the other Vnet with a Site-to-Site VPN connection.

    Then, you need to create a UDR (User Defined Route) within a Route table and attach the same to the VM subnet pointing to the next hop Azure firewall with a destination address prefix 0.0.0.0/0. Then add an application rule within the Azure Firewall to allow/deny the specified URL and any other specific network/application rules as per your requirement.

    Refer: https://video2.skills-academy.com/en-us/azure/firewall/tutorial-firewall-deploy-portal-policy#configure-an-application-rule

    Since, your Azure Firewall will be in the same Vnet as your VM, the default Virtual network routing will take effect.

    Refer: https://video2.skills-academy.com/en-us/azure/virtual-network/virtual-networks-udr-overview#how-azure-selects-a-route

    Meaning, the subnet will send all your VPN traffic via VPN gateway as it has a specific route and any external Internet traffic via Azure Firewall because when outbound traffic is sent from a subnet, Azure selects a route based on the destination IP address, using the longest prefix match algorithm.

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments