VPN Gateway Routing Issue

Charlie B 0 Reputation points
2024-01-12T14:54:47.0533333+00:00

Hi All,

I will explain the existing setup and the challenges we are facing now..

--> Here in this Azure Cloud infra, all remote users, Vendors, Branches are terminated/connected through Azure VPN Gateway.--> Among that, One of the S2S connections uses the Palo Alto SDWAN Cloud device, which enables branches/sites to access the Azure Cloud resources. --> For traffic filtering, we have deployed an Azure Firewall after VPN Gateway. -->The problem is that when a branch or remote user sends traffic to a vendor that is connected through the S2S connection (Both connections lets say branch/remote user and vendor are terminated in the same VPN Gateway), the traffic does not go to the Azure Firewall for filtering, even if the UDR (attached to the Gateway Subnet) forces the traffic to the firewall.

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,529 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
662 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,427 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. GitaraniSharma-MSFT 49,591 Reputation points Microsoft Employee
    2024-01-15T08:46:25.4666667+00:00

    Hello @Charlie B ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you have a S2S VPN connection between Azure and a remote site. You've deployed Azure Firewall in your Vnet for traffic filtering and have attached a UDR to the GatewaySubnet which forces the traffic to the firewall, but it is not working.

    To force traffic in a Vnet via Azure Firewall and route it to on-prem via VPN and vice-versa, you would need 2 UDRs as below:

    • To route all subnet traffic through the Azure firewall, you can use a User Defined route (UDR) on the subnets that points to the firewall with the Virtual network gateway route propagation option disabled (this prevents learned routes from conflicting with your UDR). If you want to keep Virtual network gateway route propagation enabled, make sure to define specific routes to the firewall to override those that are published from on-premises over BGP.
    • Configure a UDR on the VPN gateway subnet that points to the firewall IP address as the next hop to the Vnet. No UDR is required on the Azure Firewall subnet, as it learns routes from BGP.

    And make sure that this traffic is allowed in the Azure Firewall by configuring specific network rules.

    NOTE: Azure Firewall must have direct Internet connectivity. If your AzureFirewallSubnet learns a default route to your on-premises network via BGP, you must override this with a 0.0.0.0/0 UDR with the NextHopType value set as Internet to maintain direct Internet connectivity.

    Refer: https://video2.skills-academy.com/en-us/azure/firewall/tutorial-hybrid-portal-policy

    Could you please share your configuration details?

    You mentioned "the UDR (attached to the Gateway Subnet) forces the traffic to the firewall".

    What about your Azure subnets? Do all the subnets have UDRs for destination on-premises network as next hop Azure Firewall? Are both side UDRs in place?

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.