Hub & Spoke with Azure Firewall - Integrating External Businesses

Son 311 Reputation points
2021-12-31T12:19:59.117+00:00

Hi,

I need to find a solution to integrate external businesses into our Azure Hub & Spoke environment with an Azure Firewall. By external businesses I am meaning businesses that we own as a group but are not connected to our normal MPLS network. I will give some background.

Our company is built on acquisitions and historically we would integrate any business we purchased into our MPLS network migrating users to our AD forest etc. Last year we created an Azure Hub & Spoke environment for these businesses using a resilient Express Route connection from the MPLS. Each company has their own spoke which connect to the Hub where there is a dedicated Azure Firewall protecting each spokes traffic to and from each other and the internet. No spokes can communicate to each other directly, all traffic is routed to the hub that needs to leave each spoke and then the routing decision is made there.

We decided that we want all traffic destined to the internet from the Azure environment to route back through the Express Route and out our MPLS perimeter firewalls so no internet traffic (other than some Azure FW management traffic) is routed out to the internet from the Azure Firewall, it is all passed back down though the ER and out the MPLS firewalls via the advertisement of a default route into the Azure Environment via BGP (we have setting enabled to propagate routes).

This all works great at the moment as all the businesses using that environment are connecting to our MPLS and use the Express Route.

My question is how do we integrate other businesses that we own which we have not migrated to our MPLS and allowing them to break out of either their own internet egress like we have? or is that even possible due to the default route being advertised into the environment?

They would most likely need to connect in using a S2S VPN, then have their traffic from that VPN route through the Azure Firewall first, into their spoke but then is it possible to give them a different egress to the internet instead of sending that traffic down our ER and out our perimeter firewalls?

Hope that makes sense and someone can steer me to know what the possibilities are? Some that spring to mind:

  • Stop the Default Route advertisement from Express Route and allow internet egress from Azure
  • Somehow configure their spoke to send internet traffic out the Azure FW ignoring the default route the other businesses are using from the express route
  • Configure their own Azure environment and Azure Firewall
Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,448 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
607 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,287 questions
Azure ExpressRoute
Azure ExpressRoute
An Azure service that provides private connections between Azure datacenters and infrastructure, either on premises or in a colocation environment.
342 questions
Accepted answer
  1. GitaraniSharma-MSFT 49,386 Reputation points Microsoft Employee
    2022-01-07T13:53:48.383+00:00

    Hello @Son ,

    Below is the summary of our discussion:

    You have an ExpressRoute connection from your on-premises to Azure where you have a hub-spoke model and are advertising a default route to block free internet access from all spokes and are filtering that traffic at your on-premises firewall. However, you have another site which is not connected via ExpressRoute and would most likely use a site-to-site VPN for connectivity to it's Azure spoke but you do not want the return traffic to be affected by the advertised default route (where all traffic goes back to your on-premises).

    When outbound traffic is sent from a subnet, Azure selects a route based on the destination IP address, using the longest prefix match algorithm. If multiple routes contain the same address prefix, Azure selects the route type, based on the following priority:
    User-defined route > BGP route > System route
    User-defined routes are higher priority than BGP & default routes.
    Refer : https://video2.skills-academy.com/en-us/azure/virtual-network/virtual-networks-udr-overview#how-azure-selects-a-route

    To send the Internet traffic out via your Azure Firewall, you need to:
    Create a new route table and associate it to the S2S spoke subnets.
    Add a UDR of 0.0.0.0/0 and have the next hop as virtual appliance and the address of the Azure Firewall RFC1918 IP address.

    Regarding your Azure Firewall, since you have forced tunneling enabled on it, you can't undo the configuration and all your traffic which reaches the Azure Firewall will be forced to your ExpressRoute.
    Refer : https://video2.skills-academy.com/en-us/azure/firewall/forced-tunneling

    So, if you want to connect the spoke with a S2S VPN, they would have to route the traffic to the internet down your ExpressRoute, if you want to use the same Azure Firewall.

    If you configure the UDR route for the S2S spoke to say "Next hop type = Internet" then, the egress traffic would not route via the Azure Firewall and will directly go to Internet.

    If you decide not to use forced-tunneling and allow traffic to egress to the internet via the Azure Firewall directly, then you will have to rebuild the firewall without the forced tunneling setting enabled along with below changes:

    Azure Firewall must have direct Internet connectivity. If your AzureFirewallSubnet learns a default route to your on-premises network via BGP, you must override this with a 0.0.0.0/0 UDR with the NextHopType value set as Internet to maintain direct Internet connectivity or stop advertising the default route from on-prem. Post this you can filter the outbound traffic within the Azure Firewall according to your needs by configuring network rules.
    Refer : https://video2.skills-academy.com/en-us/azure/firewall/firewall-faq#is-forced-tunneling-chaining-to-a-network-virtual-appliance-supported

    Hope this helps!

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest