![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 67%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESR%3C/text%3E%3C/svg%3E)
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,514 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 17%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERV%3C/text%3E%3C/svg%3E)
Hello Siddhesh Rane,
Welcome to the Microsoft Q&A Platform! Thank you for asking your question here, Requirement:1
I understand that you want to send the traffic from the firewall to NVA.
Create a Network Rule Collection on the Azure Firewall:
- Define a Network Rule that allows traffic from the on-premises source IP range to the NVA’s internal IP address.
- Specify the destination as the NVA's private IP address and the appropriate port (e.g., if the NVA is serving as a VPN, it might be port 443 or 500/4500 for IPsec).
- Set the action to Allow.
Once traffic reaches the NVA, you can set up UDRs on the NVA’s subnet to route the traffic to the appropriate spoke VNet.
Note: This step is critical for ensuring that traffic flows correctly between the NVA and the Spoke VNet.
Requirement:2 To enable routing between sites connected to a VPN Gateway and ExpressRoute Gateway using an Azure Route Server:
- Deploy Azure Route Server: Set up the Route Server in your Hub VNet to manage routing dynamically.
- Connect Your Appliances: Establish BGP peering between the Route Server and your network devices like SD-WAN, NVA, VPN Gateway, and ExpressRoute Gateway. This allows them to exchange routing information automatically.
- Automatic Routing: The Route Server will automatically handle route updates, ensuring traffic flows correctly from the on-premises network through the VPN Gateway, SD-WAN, Azure Firewall, NVA, and finally to the destination via the ExpressRoute Gateway.
Requirement:3
Use the Route Server to dynamically route the traffic VPN Gate to Spoke Vnet.
Requirement:3b
No, Azure Firewall and NVA do not learn third-party IP prefixes from a VPN Gateway through VNet peering. Azure Firewall and NVAs require explicit route configuration or BGP peering with the VPN Gateway to learn and handle third-party IP prefixes, Azure Firewall and NVAs require explicit route configuration or BGP peering with the VPN Gateway.
Requirement: 4
- Azure Route Server itself does not directly enable routing between ExpressRoute Gateway and VPN Gateway. It is designed to simplify and automate dynamic route management between your virtual network and network virtual appliances
- Yes, Azure Route Server can assist with dynamic route propagation to and from NVAs (including Azure Firewall) and help in managing the routing between your VPN/ExpressRoute Gateway and your spoke VNets.
Additional References: What is Azure Route Server? | Microsoft Learn,
Configure ExpressRoute and S2S VPN coexisting connections with Azure PowerShell | Microsoft Learn, Support for ExpressRoute and Azure VPN - Azure Route Server | Microsoft Learn
If you have any further queries, do let us know. If the answer is helpful, please click "Accept Answer" and "Upvote it."