Network routing between two express route circuit with Azure Firewall

Romain 45

Hello Guys,

I have a customer who need to have 2 express route circuit connected to two different data center (so one circuit for each DC) connected to a same Azure Vnet Gateway within a classic HUB and spoke azure environment.

Within the HUB Vnet they have an Azure Firewall implemented and they would like to be able to do transitive routing between these 2 express route circuit and being filtered by the Azure Firewall.

I searched in microsoft documentation but didn't found lot of details to see if this setup could work or not.

Is it the correct way to go or their is a better way ?

Thanks a lot in advance.

Regards,
Romain

Muhammad Umair 80 Reputation points

2023-09-14T13:58:06.0566667+00:00

To achieve transitive routing between two ExpressRoute circuits connected to different data centers, both connected to the same Azure VNet Gateway within a classic Hub-and-Spoke Azure environment, and have traffic filtered by an Azure Firewall in the Hub VNet, you can follow these steps:

Connect ExpressRoute Circuits: Ensure that each ExpressRoute circuit is connected to its respective data center.

Create Azure VNets: Create two separate Azure VNets, one for each data center. These VNets will be part of your Hub-and-Spoke architecture.

Configure Peering: Peer the VNets together within the Hub VNet. This enables transitive routing between the VNets through the Hub.

Azure Firewall: Deploy Azure Firewall in the Hub VNet. Configure it to allow traffic between the two peered VNets while enforcing security policies as needed. You will likely need to create Network Rules in Azure Firewall to control traffic flow.

Route Tables: Set up custom route tables in each Spoke VNet to route traffic to the ExpressRoute circuit and Azure Firewall in the Hub VNet. Ensure that the route tables are associated correctly with the subnets in the Spoke VNets.

ExpressRoute Configuration: Ensure that your ExpressRoute configurations (BGP, route propagation, etc.) are correctly set up to route traffic through the ExpressRoute circuits.

Testing and Monitoring: After the setup is complete, thoroughly test the connectivity and routing to ensure that traffic flows through the desired path and is filtered by Azure Firewall.

While this setup should work, it's essential to consider factors like routing, security policies, and ExpressRoute configurations carefully. You may also want to consult with Azure networking experts or a Microsoft Azure support engineer to ensure the setup aligns with best practices and meets your specific requirements. Azure networking can be complex, and expert guidance can be invaluable in ensuring a robust and secure architecture.

Accepted answer

msrini-MSFT 9,271 Reputation points Microsoft Employee

2023-09-17T10:53:02.27+00:00

Hi,

Yes, your setup will work. When you connect 2 circuits to the same VNET, the routes from each circuits are learnt by ER Gateway and are exchanges to the circuits. Transitive connectivity between DCs will be established.

You can think of ER Global reach to reduce extra hops and latency. If your intension is to use Firewall to filter traffic between 2 DCs, then your design should work.

Regards,

Karthik Srinivas
Please sign in to rate this answer.
Romain 45 Reputation points

2023-09-18T06:51:00.01+00:00

Hello,

Thanks for your update, what is the best/recommended way to do this kind of setup as your answer and the previous one are suggesting two different kind of setup (and the Microsoft documentation is lacking informations on this kind of infrastructure setup with multiple express route circuits and Azure Firewall...)

regards,

Romain

msrini-MSFT 9,271 Reputation points Microsoft Employee

2023-09-18T07:47:39.0533333+00:00

This is a known scenario where 2 DCs connect ti each other via Azure ER. Here is the reference: https://video2.skills-academy.com/en-us/azure/expressroute/expressroute-global-reach

Romain 45 Reputation points

2023-09-18T09:27:55.8566667+00:00

Hello,
I believe ER-Global Reach may not be the correct way to go for me as i want to perform traffic filtering between traffic who may come from on Express route Circuit to the other one...

My main concern is will i still be able to do traffic filtering even if both express route circuit will be connected to the same Express Route gateway (in the same vnet as the Azure Firewall ) ?

Thanks a lot for your help.

Regards,
Romain

msrini-MSFT 9,271 Reputation points Microsoft Employee

2023-09-18T10:32:20+00:00

Yes, you will. If you are not using Global reach the hair pinning of traffic happens on the ER gateway. If you want to filter traffic with Azure Firewall, you may need to add a UDR on the gateway subnet pointing to Azure Firewall or you can go with Azure vWAN.

Romain 45 Reputation points

2023-09-18T14:38:41.56+00:00

Thanks for the clarification, i already planned to use UDR on the Gateway subnet, i just hope their won't be any priority issues with routes learned by ER Gateway trough BGP.

Anyway thanks a lot for your help

Tomimma 0 Reputation points

2023-10-03T14:39:11.0466667+00:00

Hi Romain,

I am trying to design almost exactly the same as your situation except Azure firewall (no need this).

One Express Route from DC1 and another Express Route from DC2 will be connected to the same ER Gateway in the same VNET.

I just need hairpin routing at this ER Gateway without Azure Firewall, so that DC1 can connect to DC2 via this ER Gateway and vice versa.

Have you confirmed if this works?

I just can't test by myself since 2 x ExpressRoutes are not easy to deploy with my pocket money...

Thanks!

Romain 45 Reputation points

2023-10-03T19:40:36.8466667+00:00

Hi Tonimma,

In your case using azure expres route global reach should be enough and let you do ER to ER traffic.

Regards,
Romain

Tomimma 0 Reputation points

2023-10-03T21:30:46.3466667+00:00

Hi Romain

Thanks for your prompt reply. Really appreciated.

In my case, ExpressRoute global reach is not an option to use.

Having said that ER gateway can not hairpin routes from DC1 to DC2 and vice versa? without using ExpressRoute global reach?

Meaning it requires, either of the following:

ExpressRoute global reach

Azure Route Server

Thanks!
Sign in to comment

1 additional answer

Romain 45 Reputation points

2023-09-14T14:17:13.6766667+00:00

Hello,

Thanks for the quick update, so you would suggest to have two different vnet gateways (in two others vnet) and the Firewall within a hub vnet ?

I had this kind of setup in first place but are you sure transitive routing between two different vnet gateways will be possible in this kind of setup ?

Regards,

Romain
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Share via

Network routing between two express route circuit with Azure Firewall

1 additional answer