Forward/filter network traffic within a vNet (subnet-to-Subnet) & vNet-to-vNet

Porsche Me 136 Reputation points
2021-03-18T19:02:28.22+00:00

Azure Premium Firewall Architecture: Hub & Spoke
Number of Tenants: 1
Number of Subscriptions: multiple
Number of vNets: multiple (each subscription has exactly one vNet)
Number of subnets: multiple (each vNet have multiple subnets)

  1. We move lots of sensitive data (TB in size) between vNets
  2. Within a vNet, various services (separated by a subnet) accesses data
  3. We created private endpoints for Azure resources such as storage, KeyVault, Databricks and Datafactory in every vNet
  4. In each vNet, every subnet routing was defined by setting addressPrefix=subnet-ip-cdr, nextHopType=VirtualAppliance and nextHopIpAddress=firewallPrivateIP
  5. Firewall policy was defined for service access to the data (private endpoint) using FQDN

Question:

When service access the data, does it happen via firewall? In this case, both service and data (private endpoint) are present within the same vNet.

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
662 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,427 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. msrini-MSFT 9,281 Reputation points Microsoft Employee
    2021-05-07T04:20:13.41+00:00

    Hi,

    If you want to send the traffic to PE via Firewall you need to add more specific routes, like /32. In your example, if you add below rule

    addressPrefix=PrivateEndpointIP/32, nextHopType=VirtualAppliance and nextHopIpAddress=firewallPrivateIP

    then the traffic to the service via Private Endpoint will be sent to Firewall.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.