Force vWAN traffic with Azure Firewall and NVA

Arindam Saha (HCL) 1 Reputation point
2021-06-20T20:25:04.257+00:00

In my environment, we have configured multiple spokes which are attached to the hub and the spokes are not allowed to talk to each other. We have deployed third party NVA's on each spoke and also have a secure hub in place. Our requirement is the Azure Firewall on the hub will take the routing decisions for spoke to spoke traffic. If i create custom route tables for each spoke and keep the Azure Firewall as the next hop, is there a way to configure the next hop from Azure Firewall will be the third party NVA?

Azure Virtual WAN
Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
197 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andreas Baumgarten 102.6K Reputation points MVP
    2021-06-20T21:02:31.067+00:00

    Hi @Arindam Saha (HCL) ,

    is there a way to configure the next hop from Azure Firewall will be the third party NVA

    Are you talking about the third party NVA in the target spoke?

    If "yes" I think it should be possible to create a route in the Azure Firewall subnet to route traffic to the target spoke with next hop target spoke NVA.

    ----------

    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

    Regards
    Andreas Baumgarten

  2. Sanjay Narendran 1 Reputation point
    2021-11-22T05:38:47.857+00:00

    @Arindam Saha (HCL) , have the same issue, once Azure Firewall is added to the Hub, there does not appear to be a way to next hop to a 3rd part NVA within a Vnet. It even bypasses specific static routes added within the hub<>Vnet connection and goes directly to the target ip.
    Let us know in the thread if you found a way around this issue.

    For now, I am thinking of Proxying all traffic to the vnet using a Azure load balancer that sits in a subnet between the Hub Azure Firewall and the NVA.

    0 comments