Using Azure Firewall to regulate traffic between subnets of a Virtual Network

Clive Crocker 66 Reputation points
2024-03-07T13:30:03.0366667+00:00

We have a Virtual network (e.g. 10.x.0.0/19) with multiple subnets (10.x.1.0/24, 10.x.2.0/24, 10.x.3.0/24) and an Azure Firewall.

We have custom Route Tables assigned to subnets to direct traffic to the Firewall interface.

An Azure Firewall regulates N/S (i.e. Internet) traffic in and out of the subnets just fine.

The Azure Firewall is also configured to regulate E-W (i.e. between subnets) traffic.

We do not use Network Security Groups.

However, in testing I see the E-W is open... i.e. devices in one subnet can communicate with devices in another subnet across protocols which have not been permitted in the Firewall rules.

Similarly, it does not appear to regulate traffic to remote virtual networks, i.e. across Virtual Network Gateway tunnels.

https://techcommunity.microsoft.com/t5/azure-network-security-blog/azure-firewall-nat-behaviors/ba-p/3825834#:~:text=The%20Azure%20Firewall%20is%20a,and%20north%2Dsouth%20traffic%20inspection.

I see this in that link :

East-West Traffic Flow (IANA RFC 1918 & IANA RFC 6598)

East-west traffic flow refers to traffic between Azure virtual networks, either subnets within the virtual networks or between spoke virtual networks, and traffic between Azure virtual networks and on-premises networks via Virtual Private Network (VPN) or ExpressRoute (ExR) connections.

I realise that applying NSG to each subnet could allow this to work but I understand that should not be required... preference is simply to use the Azure Firewall to centralise the traffic flow rules.

Thanks

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
599 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,264 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. KapilAnanth-MSFT 39,446 Reputation points Microsoft Employee
    2024-03-14T13:50:50.0666667+00:00

    @Clive Crocker ,

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    Before I address your questions, you must understand How Azure Routing works

    • In simple, it used L****ongest prefix match algorithm

    When outbound traffic is sent from a subnet, Azure selects a route based on the destination IP address, using the longest prefix match algorithm. For example, a route table has two routes: One route specifies the 10.0.0.0/24 address prefix, while the other route specifies the 10.0.0.0/16 address prefix. Azure directs traffic destined for 10.0.0.5 to the next hop type specified in the route with the 10.0.0.0/24 address prefix. This process occurs because 10.0.0.0/24 is a longer prefix than 10.0.0.0/16, even though 10.0.0.5 falls within both address prefixes. Azure directs traffic destined for 10.0.1.5 to the next hop type specified in the route with the 10.0.0.0/16 address prefix. This process occurs because 10.0.1.5 isn't included in the 10.0.0.0/24 address prefix, making the route with the 10.0.0.0/16 address prefix the longest matching prefix.

    • By default, every subnet would learn the address ranges of other subnet. This is possible using Default System routes
    • This means, traffic from one subnet goes directly to another subnet within the VNET
    • You have to override the System routes with User-defined Custom routes and L****ongest prefix match algorithm. Here, "and" being the important concept.
    • So, you have to manually create add subnet address prefixes in the UDR for this to use the Azure Firewall (nextHop defined in the Route Table)

    Now, coming to your queries.

    1.You mention 'subnet routes of equal or greater length'. Do you mean a subnet mask of equal or greater length? e.g. Could we put a single route 10.5.0.0/19 (being the address space in our entire network) or do we need to individually add the series of /24 subnets (or /25, /26...) to make UDR over-ride the Azure default routing?

    • This should be series of subnets like /24 subnets (or /25, /26...)

    2.We have no UDR in the Azure Firewall Subnet (e.g. 10.5.15.0/26, which contains 10.5.15.4). Could you confirm that would be correct?

    • Correct

    3.Also for added security... We have an Az Application Gateway (Internet <-> AG <-> Firewall <-> Subnets and have a route to a required internal subnet via the firewall. In order to ensure no traffic could go directly (e.g. to another subnet, if (mis)configured on the AG, I guess we should also include the list of subnets in the UDR for the AG subnet... otherwise traffic would flow directly from AG to subnet, wouldn't it..)

    • I am confused here.
    • Is this for "Internet to VM" or "East West Traffic"
    • What exactly is the requirement here?

    4.Is there any way to query the resultant routes (assembled from BGP, UDR & default Azure routing knowledge)? Output like 'route print' showing destination subnets, metrics, preferences etc... This would help me understand what is actually happening within the environment rather than it being something of a 'black-box' situation.

    Kindly let us know if this helps or you need further assistance on this issue.

    Thanks,

    Kapil

    0 comments