![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 90%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYR%3C/text%3E%3C/svg%3E)
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,433 questions
Hello @Yakesh Ram ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you've hub-and-spoke configuration in Azure where spokes are peered with the Hub Vnet, which has ExpressRoute connectivity to on-prem. Hub has Azure Firewall, and you would like to establish connection between on-premises and Azure spoke Vnet through the Azure Firewall deployed in the Hub Vnet.
For Azure to On-premises traffic:
- To force all the traffic going out of your Azure spoke Vnets to the Azure firewall in hub Vnet, you can add a UDR with 0.0.0.0/0 on all the spoke subnets with next hop as your Azure Firewall.
- Or if you just want to route selective traffic such as only the traffic going to on-premises, then you can add a UDR with your on-premises address range on all the spoke subnets with next hop as your Azure Firewall.
This setup will take care of the routing from Azure to on-prem which will go as below:
All spoke subnets --> Azure firewall --> ExpressRoute gateway --> On-premises.
For return On-premises to Azure traffic:
GatewaySubnet do not support 0.0.0.0/0 UDRs, but it supports UDRs with other address prefixes. Hence, you can add a UDR to the ExpressRoute GatewaySubnet with the address prefix of your spoke Vnet ranges with next hop type Virtual Appliance and IP address of your Azure firewall. This will make sure that any traffic that comes from your on-premises for your Azure spoke Vnet range, when reaches your ExpressRoute gateway will be forwarded to the firewall for scanning.
NOTE: Propagate gateway routes should be set to "Enabled" on the GatewaySubnet to ensure availability of the gateway and to propagate your on-premises routes to the network interfaces in the subnet.
For example: If your spoke Vnet address range is 172.168.0.0/24 then you can add a UDR to your ExpressRoute GatewaySubnet as below:
Address prefix: 172.168.0.0/24 --> Next hop = Virtual Appliance --> Next hop = IP address of Azure Firewall
So, the routing from On-prem to Azure spoke Vnet will go as below:
On-premises --> ExpressRoute gateway --> Azure firewall --> All spoke subnets.
And finally make sure that you've configured Network rules in your Azure Firewall to allow the traffic.
This type of setup is already documented in the below docs:
https://video2.skills-academy.com/en-us/azure/firewall/tutorial-hybrid-portal
https://video2.skills-academy.com/en-us/azure/firewall/tutorial-hybrid-ps
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.