MSDN Forum:Azure Firewall

alsavi1984 21 Reputation points
2021-02-03T10:58:37.067+00:00

Good morning.

I have an issue, and I have opened a case to Microsoft support team, but unfortunately I havent received a clearly answer.

We have deployed an Azure Firewall that is the responsible of filtering traffic throught different subscription. We have knowlegde that if there is no rule that allows specific traffic, the communication will drop. So, first of all, we have check all route tables and have as the next hop the virtual appliance, also we have deployed udr that forze the traffic (0.0.0.0 to firewall).Then we have checked all rules and there is nothing that could allow traffic.

Checking tracepath, and using other tools we could see that the traffic as we expected, is going to firewall and then to the destination vms. But we are finding that traffic is allowed between vnets although it is filtering to fw.

So, my question is about is somebody has met this issue to, or if anybody could try to give more info or aid about this issue as it is a bit strange.

Thank you, and overall have a good day.

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
600 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. alsavi1984 21 Reputation points
    2021-02-05T06:53:56.837+00:00

    Thanks for your reply.

    Nowadays, we have around 15 different vnets deployed in a hub and spoke arquitecture. Every vnet have peering to firewall subnet but not between vnet-vnet.

    Also, we have different route tables applied to every subnet that force traffic to the virtual appliance. Also we have checked rules that are configured at firewall level and its not allow traffic to different subnets.

    Every subnet have UDR that force traffic redirection to firewall and overall every route table has an implicit rule to destination 0.0.0.0/0 to azure firewall ip. Every route table have disabled option route propagation. Also we have checked network path using azure network watcher tool, and we could see that traffic flows throught firewall.
    Futhermore, we have taken different packets captures in both sides and MSN has checked too, but support team haven´t find why different flow are allowed.

    In addition we have checked with MSN help routes and fw rules too, but they haven´t seen any particular reason yet.