Azure Firewall Routing

I recently had a customer who had a small Azure environment and was looking to add an Azure Firewall with the following requirements:

  • All traffic between their on-premise environment and Azure via an Azure firewall.
  • All VM to internet traffic should utilise the firewall’s public IP address.

As you may be aware all VM’s in Azure are connected to the internet via the Azure backbone. VM’s do not require a public IP address to connect to the internet. This obviously raises some major security concerns. There are a couple of ways around this, either by using forced tunnelling which lets you redirect all internet traffic back to your on-premise network either via S2S VPN or ExpressRoute for inspection with your on-premise firewall. The other option is to add a firewall in Azure. This allows you to direct all internet traffic via the firewall in Azure, and also allow you to direct all traffic between Azure and on-premise and vice versa via the Azure firewall.

Below is a quick overview of the design. Red is the flow from VM to the internet, Blue is the flow between on-premise and Azure.

In the above example we have a Hub VNet on 10.0.0.0/16 with a S2S VPN and an Azure firewall on 10.0.3.4, and a subnet on 10.0.2.0/24 and a single VM on 10.0.2.4. The spoke Vnet is peered to the hub Vnet with gateway transit enabled. The spoke VNet contains one subnet 10.1.1.0/24 with a single VM on 10.1.1.4.

Next step is to ensure all internet traffic is via the firewall and not directly over the Azure backbone. A quick way to do this is to find which IP address the VM’s are using to access the internet. Log into each VM and open your favourite browser and browse https://www.whatismyip.com/ . Both Vm’s will most likely have the same IP address.

In order to route all internet traffic to the firewall you will need to create a default route to the internet.

First for the hub VNet:

  • Route Table: hubtofirewall
  • Route Name: hubtointernet
  • Address Prefix: 0.0.0.0/0
  • Next hop type: Virtual Appliance
  • Next Hop Address: 10.0.3.4
  • Associated subnet: 10.0.2.0/24

Next the spoke VNet:

  • Route Table: spoketofirewall
  • Route Name: spoketointernet
  • Address Prefix: 0.0.0.0/0
  • Next hop type: Virtual Appliance
  • Next Hop Address: 10.0.3.4
  • Associated subnet: 10.1.1.0/24

To ensure the traffic to the internet is now traversing the firewall you can log back into the VM’s, browse to https://www.whatismyip.com/, you will notice the IP has changed to the firewalls public IP address.

Next step is to route all traffic between Azure and on-premise via the firewall, this involves route traffic destined to the on-premise network to the firewall. In the first route table named hubtofirewall add the following route:

  • Route Name: hubtoonprem
  • Address Prefix: 192.168.1.0/24
  • Next hop type: Virtual Appliance
  • Next Hop Address: 10.0.3.4

Add the same details to the 2nd Route table, changing the name:

  • Route Name: spoketoonprem
  • Address Prefix: 192.168.1.0/24
  • Next hop type: Virtual Appliance
  • Next Hop Address: 10.0.3.4

These routes can be confirmed by viewing the effective routes:

Hubtofirewall

Spoketofirewall

Now that you all traffic from Azure is routed to the firewall the last step is to route the traffic from the gateway to the firewall,

  • Route Table: gateway
  • Route Name: gatewaytohub
  • Address Prefix: 10.0.0.0/16
  • Next hop type: Virtual Appliance
  • Next Hop Address: 10.0.3.4
  • Associated subnet: GatewaySubnet

Finally add the last route to the same Route Table:

  • Route Name: gatewaytospoke
  • Address Prefix: 10.1.0.0/16
  • Next hop type: Virtual Appliance
  • Next Hop Address: 10.0.3.4

Provided the firewall is configured to allow traffic in both directions, all traffic should now traverse the firewall.

Job done 🙂