AZFW DNS proxy across virtual wan

Mark Davis 20

I have configured the azfw policy for dns proxy to a server that is on-prem accessible through another virtual hub. My problem is bgp is not advertising the firewall's private address across the vwan to the other hub.

The firewall policy in question is in Southeast Asia and the DNS server is hanging off a vpn connected to South Central US.

AZFW Hub Southeast Asia -> Hub South Central US -> DNS Server on-prem

Any help would be much apprectiated.

Sai Prasanna Sinde (Quadrant Resource LLC) 90 Reputation points Microsoft Vendor

2024-08-29T10:41:59.2633333+00:00

Hi @Mark Davis,

Just checking in to see if the above answer provided by @Sina Salam helped. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Sai Prasanna Sinde (Quadrant Resource LLC) 90 Reputation points Microsoft Vendor

2024-08-30T16:35:59.9333333+00:00

Hi @Mark Davis,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know."
Mark Davis 20 Reputation points

2024-08-30T16:48:41.5333333+00:00

Unfortunately no. BGP appears to be working fine, the routes are there for attached vnets, and its passing routes received from on-prem. I see routes for everything except the azfw's private addresses.
Sai Prasanna Sinde (Quadrant Resource LLC) 90 Reputation points Microsoft Vendor

2024-09-02T08:54:33.67+00:00
Hi @Mark Davis,

Thanks for the reply. Adding to the points provided by @Sina Salam ,

Although BGP may be operational and relaying routes from on-premises resources, Azure Firewall's private IP addresses will not be automatically advertised across the Virtual WAN to other hubs, including the South-Central US hub.

To resolve the issue. Please go through the below steps:

User Defined Routes: Create User-Defined Routes to clearly establish the paths for traffic starting from the Southeast Asia hub to the DNS server located in South Central US. The UDRs should be configured to direct traffic to the Azure Firewall as the next hop.

For your reference: https://video2.skills-academy.com/en-us/azure/firewall/firewall-multi-hub-spoke#routing-on-the-spoke-subnets

Third-Party Network Virtual Appliance: If BGP capabilities are essential for your architecture, you might need to implement a third-party Network Virtual Appliance (NVA) that supports BGP. This NVA would then peer with the Virtual Hub to manage route advertisements effectively.

For your reference: https://video2.skills-academy.com/en-us/azure/virtual-wan/scenario-bgp-peering-hub#benefits-and-considerations

3.Route Tables in Virtual Hubs: Ensure that the route tables within the Virtual Hubs are correctly configured to incorporate static routes capable of effectively directing traffic towards the Azure Firewall private IP address. Additionally, these routes should propagate to the appropriate route tables. I hope this is helpful! Do not hesitate to let me know if you have any other questions.

Thanks,

Sai Prasanna Sinde.
Sai Prasanna Sinde (Quadrant Resource LLC) 90 Reputation points Microsoft Vendor

2024-09-06T01:46:53.14+00:00

Hi @Mark Davis,

Following up to see if the above suggestion was helpful. And, if you have any further query do let us know. We are happy to assist you.

Thanks.

1 answer

Sina Salam 10,036 Reputation points

2024-08-28T20:57:12.58+00:00
Hello Mark Davis,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that you are having issues with your BGP not advertising the Azure Firewall's private address across the Virtual WAN (vWAN) to the other hub and DNS proxy across virtual wan.

Ensure that BGP is correctly configured on both hubs (Southeast Asia and South Central US) and confirm that BGP peerings are established and active.

Make sure the Azure Firewall's private IP address is included in the BGP advertisements and to do this you will need to update the BGP route table to include the Azure Firewall's private IP and configure private traffic routing policy https://video2.skills-academy.com/en-us/azure/virtual-wan/how-to-routing-policies

About you DNS proxy check if it is enabled on the Azure Firewall in the Southeast Asia hub and if not try to enable it to the extent that the DNS settings on the virtual network are configured to point to the firewall’s private IP. https://video2.skills-academy.com/en-us/azure/firewall-manager/dns-settings

I hope this is helpful! Do not hesitate to let me know if you have any other questions.

** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.

Best Regards,

Sina Salam
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

AZFW DNS proxy across virtual wan

1 answer

Your answer