Configuration of an external firewall + ExpressRoute

Philipp Gerber 251 Reputation points
2023-09-19T06:16:27.5466667+00:00

Hello Community,

I read a few threads here in the forum about a similar case, but the answer wasn't 100 percent clear to me.

The following structure:

I have an ExpressRoute via a VPN gateway in Azure, which is connected to OnPrem.

An NVA (not from Microsoft) should now be configured in Azure to examine the traffic between OnPrem <> Azure.

This NVA has already been deployed in a subnet in Azure (hub network).

Now the questions about configuration:

In order for the path from OnPrem to Azure to go over the firewall, I have to inform the gateway subnet about the Azure networks via UDRs over the NVA in Azure right?

That's understandable to me.

But how do I configure the way from Azure back to OnPrem over the Azure NVA?

It is clear that I have to give all Azure subnets the UDR so that, for example, the OnPrem networks can be reached via the Azure Firewall.

But then what is the next step on the NVA?

I have often read that on Azure NVA I have to set the routes to OnPrem to the Virtual Network Gateway (ExpressRoute) in Azure.

But here the question arises, how?

Which IP must the route be set to in the Azure NVA?

Where can I find the address of the Virtual Network Gateway (ExpressRoute) in Azure which I have to specify as the next hop address in the route in the firewall in Azure?

Thanks a lot.

Regards,
Phil

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,436 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
600 questions
Azure ExpressRoute
Azure ExpressRoute
An Azure service that provides private connections between Azure datacenters and infrastructure, either on premises or in a colocation environment.
342 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. KapilAnanth-MSFT 39,461 Reputation points Microsoft Employee
    2023-09-19T06:52:20.81+00:00

    @Philipp Gerber

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I understand that you would like to know more about the configuration for inspecting traffic between Azure and OnPrem via ExR or VPN Gateway.

    Wrt the statement, "I have an ExpressRoute via a VPN gateway in Azure, which is connected to OnPrem."

    • I take it that this is VNET Gateway and not VPN Gateway.

    I see you are already clear about the OnPrem to Azure part.

    • As you mentioned, attaching a Route Table with UDR pointing Azure address range to the NVA IP would do the trick.

    Azure to OnPrem Part:

    • With the ExpressRoute, all the VMs would be automatically learning the nextHop for OnPrem address range.
    • When you add a Route table to the subnets, you are actually over-riding this System/BGP Routes via UDR (custom Route) and make it point to the NVA
    • However, you will not be adding any such Route table to the NVA's subnet
    • This means, the NVA is aware of the nextHop as ExpressRoute via System routes.
      • i.e., System route was not overridden by any UDRs
    • So, once the NVA inspects/processes the traffic and allows it, the platform would take care of the routing to the OnPrem.
    • E.g.,
      • In case the target address is 10.1.0.10, the NVA should send the traffic to 10.1.0.10 only
        • Azure will take care of routing at the platform level

    Kindly let us know if this helps or you need further assistance on this issue.

    Thanks,

    Kapil

    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.