Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
656 questions
Hub and two Spoke vnets with AFW in Hub and traffic from Expressroute
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 15%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESK%3C/text%3E%3C/svg%3E)
Sepski, Krzysztof Antoni
0
Reputation points
Hello,
I have got problem with not going traffic via Azure Firewall from ExpressRoute to one of two spoke vnets(I don't see any traffic on Firewall logs but I can see traffic with tcpdump on VM in spoke). Traffic to on-prem via ExpressRoute works fine from both spoke vnets(and I can see logs in Firewall)
Could You please provide me with exemplary configuration how to set UDRs?
I already set on GatewaySubnet UDR - prefixes of two spokes(tried also one wide mask) via Firewall, on both Spokes UDR - prefixes of on prem subnets via Firewall and can't find any solution.
{count} votes
-
KapilAnanth-MSFT 44,556 Reputation points Microsoft Employee2024-09-18T11:56:28.9233333+00:00 Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you would like to use Azure Firewall as NVA for traffic to and fro OnPrem via ExpressRoute.
From your verbatim,
- Azure to OnPrem traffic passes via the Firewall
- However, OnPrem to Azure traffic does not
- Ideally, defining the Address space of the SpokeVNETs and nextHop as the Firewall's private IP should do the trick
- See a similar set up here
- Can you confirm Propagate gateway routes is set to "Enabled"?
- May I ask if you are testing this by initiating traffic from OnPrem to the Azure?
- Or you are worried that you are not seeing return traffic for Azure to OnPrem testing
- Can you specify if you are using ExpressRoute FastPath?
Cheers,
Kapil
-
Sepski, Krzysztof Antoni 0 Reputation points
2024-09-18T12:08:01.5766667+00:00 OnPrem to Azure - OnPrem to Spoke does not going via Azure Firewall.
I do have defined address spaces of the Spoke Vnets and nextHop Firewall on GatewaySubnet UDR. - It does not work somehow. - I cannot see logs on Azure Firewall, but I as I mentioned in other way Spoke -> OnPrem I can see logs and it works fine.
Propagate gateway routes was Enabled and Disabled (tried both) on Spoke routes and Enabled on GatewaySubnet
Problem is when initiating traffic from OnPrem to Azure
FastPath on ExpressRoute is Disabled -
KapilAnanth-MSFT 44,556 Reputation points Microsoft Employee
2024-09-19T09:26:47.6233333+00:00 This is strange.
- Are you sure the Azure Firewall log query is correct?
- Because, from your verbatim, it appears there is asymmetric routing and many times, Azure drops asymmetric traffic.
- i.e., Both Azure to OnPrem and OnPrem to Azure should fail if asymmetric traffic is present.
As next steps,
- In the GatewaySubnet's UDR, add a route for one of the Spoke's Subnet (not VNET) and point the nextHop as Azure Firewall.
- I am just trying to make sure there aren't any longest prefix match overriding the UDR
- Can you also confirm if there is no Azure Route Server on the VNET?
Cheers,
Kapil
Sign in to comment
Sign in to answer