Hi Everyone! Please, I need your advice. I have Virtual network gateway which connects three on-prem sites (3 x Local network gateways). This part works perfect. There are only route and policy based routing (no dyn). All endpoints can ping each other from all sites. I want to filter traffic between S2S sites. I created an Azure Firewall in the same vNet as VNG. Made UDR with subnet of: site 1 subnet -> Virtual Appliance -> FW internal iface site 2 subnet -> Virtual Appliance -> FW internal iface site 3 subnet -> Virtual Appliance -> FW internal iface And attached it to GatewaySubnet. I expected that without rules all traffic would drop but it was flowing as usual. My FW does not work if I even create network policy. What am I doing wrong? Thank you.

@Christophe_M Thanks for your detailed explanation of the environment. To answer your query, it is not possible to filter Azure VPN Gateway Transit traffic via Azure Firewall. As mentioned by Priya Kumar , you would require a vWAN to achieve this. With vWAN, Make sure you use a Secured vHUB and enable Branch to Branch And configure vWAN Routing intent with Private Traffic Routing Policy To explain why this would not work with a regular VPN Gateway, AzFW and UDR. Consider sites A (10.A.x.x/16) and B (10.B.x.x/16) connected to a VPN Gateway You attach a UDR with the below routes on GatewaySubnet 10.A.x.x/16 ------------> AzFW 10.B.x.x/16 ------------> AzFW No Route is required on AzureFirewallSubnet as this learns the route from system and nexHop here is VPNGw Now, if a packet from SiteA destined to SiteB is sent via the TunnelA, It hits the GatewaySubnet and because of the UDR, it goes to AzFW AzFW's nextHop would be VPNGw Now, from point 1, we know the nextHop for the GatewaySubnet is AzFW (Loop). The traffic keeps on going back and forth between GatewaySubnet and AzFW creating a loop until it gets dropped. Hence, this design would not work. Hope this provides more clarity. Kindly let us know if this helps or you need further assistance on this issue. Thanks, Kapil

Azure VPN Gateway and Azure Firewall - S2S communication filtering

Christophe_M 40

Hi Everyone! Please, I need your advice. I have Virtual network gateway which connects three on-prem sites (3 x Local network gateways). This part works perfect. There are only route and policy based routing (no dyn). All endpoints can ping each other from all sites. I want to filter traffic between S2S sites. I created an Azure Firewall in the same vNet as VNG. Made UDR with subnet of:

site 1 subnet -> Virtual Appliance -> FW internal iface
site 2 subnet -> Virtual Appliance -> FW internal iface
site 3 subnet -> Virtual Appliance -> FW internal iface

And attached it to GatewaySubnet. I expected that without rules all traffic would drop but it was flowing as usual. My FW does not work if I even create network policy. What am I doing wrong? Thank you.

Silvia Wibowo 3,411 Reputation points Microsoft Employee

2024-02-05T04:00:20.6433333+00:00
Hi @Christophe_M , I understand that you want Azure Firewall to filter traffic between VPN S2S sites.

Your setup to use UDR for each of the site subnet is correct. You need to disable gateway route propagation on all the route tables, except route table for GatewaySubnet. Azure Firewall needs the routing back to site1-3, so add routes to AzureFirewallSubnet routing table (this is required as BGP propagation is disabled on this route table):

site 1 subnet -> Virtual Network Gateway

site 2 subnet -> Virtual Network Gateway

site 3 subnet -> Virtual Network Gateway

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
Priya Kumar 1,096 Reputation points Microsoft Employee

2024-02-05T04:53:24.3666667+00:00
@Christophe_M ,

Thanks for reaching azure Q and A platform.

Given said that the sites are connected to the on premise via Policy Based Gateway, and one to one connection been made.

Now there is a forced traffic been performed with the UDR, according to you which is still not working?

Steps recommended:

In the Site 1 Subnet, pick one VM for testing.

From the VM, go to the Network Interface, left bottom please select "NIC effective routing".

Under which you could see which routing been taken precedence.

If the UDR been picked then the traffic must flow via the Firewall.

If not then there must be any BGP routing taking precedence.

Please do provide more details on your architecture, we could suggest the cause.

Regards,

Priya Kumar
Christophe_M 40 Reputation points

2024-02-05T20:45:36.42+00:00

Hi @Silvia Wibowo , @Priya Kumar! Thank you for your answer. I attached the schema:

I have only one route table in that Resource Group - for GatewaySubnet in order to follow some traffic from on-prem tunnels to another Resource Group. In CLOUD Resource Group I have only three subnets - GatewaySubnet, AzureFirewallSubnet and AzureFirewallManagementSubnet.

Sorry, I do not understand where I should disable gateway route propagation except GatewaySubnet if I have UDR only for that subnet (GatewaySubnet) with only one cloud specific route (not S2S). I also could not understand how to create VM in subnet of site1 if this subnet is not part of Azure Cloud resources but CORP1 on-prem.

Probably, I expressed myself incorrectly. Sorry if so. I want to route S2S-CORP1 and S2S-CORP2 traffic to Firewall and filter it in this object. I do not want to filter traffic for another cloud resources but only between on-prem offices. I did not use WAN Gateway and do not know if this schema possible for VPN Virtual Gateway.

Thank you for your time.
Priya Kumar 1,096 Reputation points Microsoft Employee

2024-02-06T04:48:17.61+00:00
@Christophe_M Thanks for the response. Please do let me know if you looking for the something like below architecture?

**Are you looking to filter the traffic from Site 1 and Site 2 via the Azure firewall? **

If that is true, then with this setup both on-premise would not be able to talk to each other.

Given the point its Policy based Gateway, there would only be one to one connection. Vnet 1 ==> GW 1 ==> site 1 Vnet 2 ==> GW 2 ==> Site 2.

**Consider if you are looking something like the below configuration: **

This is possible, if you looking to pass all the traffic from Vnet 1 to site 1 via the Firewall, and Vnet 2 to Site 2 via the firewall.

For the same you need UDR. Vnet 1 (UDR saying any traffic to Site 1 send to Firewall) Gateway Subnet (Any traffic to Vnet 1 send to Firewall). Same for Vnet 2 configuration.

To make two onpremise to transit and talk to each other, you need to use Azure VWAN service. https://video2.skills-academy.com/en-us/azure/virtual-wan/virtual-wan-about

Regards, Priya Kumar
KapilAnanth-MSFT 39,461 Reputation points Microsoft Employee

2024-02-06T15:51:54.6966667+00:00
@Christophe_M

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I see Silvia Wibowo and Priya Kumar have shared their comments and would require clarity on Architecture. I believe you are using a single VPN Gateway with 3 individual S2S Connections connection 3 OnPrem sites.

Is this observation correct?

If not, I would request you to please share a simple network architecture diagram so we could further understand the environment.

Cheers,

Kapil
Christophe_M 40 Reputation points

2024-02-06T20:00:52.5366667+00:00

Hello @KapilAnanth-MSFT , Yes, you are right. There are only two S2S connections on image but the schema like here (with third S2S connection).

There are no the other cloud vNets, resource groups. Only one group with Virtual Gateway and three Local Gateways inside. LGN have Connections to on-prem devices. All on-prem sites can see resources of each other. However, I have to filter some resources on these sites from another sites. For example, Site 1 has servers network but I want to share only one server with the other participants of global vpn network. The similar situations on second and third sites. I do not want filter that with policy-based rules or incoming/outgoing ACLs on prem sites (hardware routers). It should serve on traffic mix point - Azure Virtual Gateway. But it does not have firewall inside so I created a new one in the same net as Virtual GW (in VNet-CLOUD). And I'm here.

@Silvia Wibowo and @Priya Kumar are trying to help me. Moreover, Priya Kumar is asking me about right questions. However, I'm a little confused about the diagrams of Priya Kumar. If I understand her question right she believes that I have three Virtual Gateways with three vNets (please, correct me). But I want to flow all traffic from/to S2S tunnels to firewall from one Virtual Gateway with one GatewaySubnet.

My question is - is this possible? And if so, how to do this in the existing scheme. I tried to force all traffic from on-prem networks into a firewall by attaching the UDR to GatewaySubnet, but it didn't work.

Thank you.
Christophe_M 40 Reputation points

2024-02-06T20:03:12.48+00:00

Dear @Priya Kumar ,

I replied to your question in post below (in @KapilAnanth-MSFT answer).
Silvia Wibowo 3,411 Reputation points Microsoft Employee

2024-02-07T01:54:02.83+00:00

Hi @Christophe_M , have you tried the setup I described in my answer?
Priya Kumar 1,096 Reputation points Microsoft Employee

2024-02-07T04:17:01.69+00:00
@Christophe_M , Thanks for the response.

Please try to answer the below questions, so we will have more clarity on your need.

So, in your architecture, are you trying to make "two on premise site" to talk to each other, but the traffic must pass via the Gateway? If so then this is not possible without the help if Azure VWAN for the transit.

If you planning to filter all the Azure traffic towards to "On-premise" should go via the Firewall to and fro. Yes this is possible.

Basically, the transit between two on-premises networks will not happen with Normal VPN gateway.

Let us know if you need help with anything else.

Regards,

Priya Kumar
Christophe_M 40 Reputation points

2024-02-07T19:55:09.7+00:00
Thank you for the answers. It sounds sadly. Ok' I have to change the technology. However, small correction:

Now, from point 1, we know the nextHop for the GatewaySubnet is AzFW (Loop). The traffic keeps on going back and forth between GatewaySubnet and AzFW creating a loop until it gets dropped.

No, I tried to make that and my traffic did not interrupt. It did not stop but not also filtered. Really nothing happened.
KapilAnanth-MSFT 39,461 Reputation points Microsoft Employee

2024-02-09T11:22:28.1266667+00:00
@Christophe_M

Thanks for keeping the thread updated.

From your statement, I understand the traffic was not logged in the AzFW

I believe this could be because the route configured on GatewaySubnet may be having a wide range that the OnPrem site B

And Azure follows longest prefix match algorithm to select a route.

In any case, without vWAN, I am afraid the ask will not be feasible.

I have converted my comment and posted it as a new answer. I would highly appreciate if you could Accept the answer and close this thread

Original posters help the community find answers faster by identifying the correct answer.

Please let us know if we can be of any further assistance here.

Thanks,

Kapil

Accepted answer

KapilAnanth-MSFT 39,461 Reputation points Microsoft Employee

2024-02-07T04:57:29.67+00:00
@Christophe_M

Thanks for your detailed explanation of the environment.

To answer your query, it is not possible to filter Azure VPN Gateway Transit traffic via Azure Firewall.

As mentioned by Priya Kumar, you would require a vWAN to achieve this.

With vWAN,

Make sure you use a Secured vHUB and enable Branch to Branch

And configure vWAN Routing intent with Private Traffic Routing Policy

To explain why this would not work with a regular VPN Gateway, AzFW and UDR.

Consider sites A (10.A.x.x/16) and B (10.B.x.x/16) connected to a VPN Gateway

You attach a UDR with the below routes on GatewaySubnet

10.A.x.x/16 ------------> AzFW

10.B.x.x/16 ------------> AzFW

No Route is required on AzureFirewallSubnet as this learns the route from system and nexHop here is VPNGw

Now, if a packet from SiteA destined to SiteB is sent via the TunnelA,

It hits the GatewaySubnet and because of the UDR, it goes to AzFW

AzFW's nextHop would be VPNGw

Now, from point 1, we know the nextHop for the GatewaySubnet is AzFW (Loop).

The traffic keeps on going back and forth between GatewaySubnet and AzFW creating a loop until it gets dropped.

Hence, this design would not work.

Hope this provides more clarity. Kindly let us know if this helps or you need further assistance on this issue.

Thanks, Kapil
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Share via

Azure VPN Gateway and Azure Firewall - S2S communication filtering

0 additional answers