Azure peering with Firewall

Jean-Claude Kalunga 21 Reputation points
2022-06-20T17:21:21.41+00:00

Hi All

I have the following:

Hub:
-----

Hub-Vnet: address space: 10.0.0.0/16
Firewall: subnet: 10.0.1.0/24
RouteTable

Spoke1:
--------

Spoke1-VNet: address space: 10.1.0.0/16
Subnet1: 10.1.0.0/24
spoke1-vm: 10.1.0.4

Spoke2:
--------

Spoke2-VNet: address space: 10.2.0.0/16
Subnet1: 10.2.0.0/24
spoke2-vm: 10.2.0.4

i created a route from spoke1 to firewall (10.0.1.4) to next destination spoke2 subnet and vice-versa. I also created a network rule in firewall to allow traffic from spoke1 subnet1 to spoke2 subnet1. In theory, this should ping successfully but when i tracert from spoke1 VM to spoke2 i see traffic gets to the firewall but gets blocked to reach VM in spoke2.

Anyone can assist ?

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
655 questions
0 comments
Accepted answer
  1. Tchimwa Sougang 936 Reputation points Microsoft Employee
    2022-06-20T17:49:11.347+00:00

    Hi @Jean-Claude Kalunga , Thank you for your question. I believe you should have a route table on each spoke described as below:

    RT1: Spoke1-VM:
    Destination: 10.2.0.0/16
    Next hop Type: Virtual Appliance
    Next hop IP: 10.0.1.4

    RT2: Spoke2-VM:
    Destination: 10.1.0.0/16
    Next hop Type: Virtual Appliance
    Next hop IP: 10.0.1.4

    Since each spoke is already peered with the Hub VNET, the AzFW knows how to reach each spoke's VM.
    You can open a port like 3389 on each VM using a NSG applied on their subnet, then use PsPING to run the test: psping <vm_ip>:3389

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.