This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 84%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESL%3C/text%3E%3C/svg%3E)
Hello experts,
Quick question here when setting up Azure VPN Gateway for site to site VPN from On-prem to Azure for S2S connectiing and also using Azure FW for network perimeter filtering and inspection from On-prem to Azure.
Now on the Gateway subnet I will set up UDR for the so that traffic coming into Azure will be routed via the firewall. My question is this, since UDR will not be applied to the Azure Firewall, how does Azure Firewall learn about the On-premise routes for traffic going back to On-prem.
Regards,
Shola
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 36%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
anonymous user You need to have a routing rule in the FW's subnet route-table pointing traffic for the on-premise to the virtual network gateway. Let me know if this helps. Thank you!
Hi Saikishor,
@SaiKishor-MSFT Thanks for the response...so if I understand what you are saying...a UDR will be attached to the Azure FW subnet with a next hop of "Virtual Network Gateway" to route traffic to back to on-premise.
So the question is this in an hub and spoke where in we have UDR attached to the spoke that routes traffic back the On-prem network address via the FW...doesn't it make it redundant to have a UDR attached to the FW subnet?
Finally, does the on-prem addresses propagates automatically to the Azure FW subnet?
anonymous user The on-premise route should automatically propagate to the Azure FW subnet if you have the propagate gateway routes option for the route table set to yes (this is set to yes by default unless you choose no when configuring the route table).
Regarding attaching UDR to FW subnet, please understand that the Azure Firewall does not do routing by itself and is only acting as a filtering entity here. The routing is performed by the FW subnets route table and that is why it needs to have a route for the on-premise pointing to the Virtual Network Gateway.
Please let me know if you have any further questions/concerns. Thank you!
@SaiKishor-MSFT thanks for the response
Quick question here you mentioned "If you are not using BGP for the S-S VPN, you will need to add the route manually to the route table."
From the above, Am I correct to say this route are part of the VPN Local Network Gateway if the S-S VPN set up doesn't use BGP? and these routes should be automatically part of the default system routes for even the Azure Firewall Subnet?
Also, just confirm the flow of traffic here based on the Azure Firewall UDR
Traffic from On-prem to Azure
On-prem->VPN Gateway->UDR->Azure FW->Azure Vnet
Traffic from Azure to On-Prem
Azure Vnet->UDR->Azure FW->UDR->VPNGateway->On-prem VNet
Thanks
anonymous user
The traffic flow looks right. Wrt to the route propagation, I believe the route should be propagated automatically irrespective of BGP or not. However, I would like to confirm this by doing some further investigation. Would it be okay if I update the thread shortly regarding this?
Thanks @SaiKishor-MSFT
Yes it will very much okay if you update the thread with this much appreciated.
@SaiKishor-MSFT , just wanted to ask if you have any updates
anonymous user Thank you for your patience while I was investigating this further.
Wrt to route propagation, all routes will be propagated via the VPN Gateway to the route table irrespective of BGP or not. However, the only difference would be that, for BGP based tunnels, you would not have to manually enter the on-premise networks when configuring the Local Area Network Gateway and it is automatically learnt by the VPN Gateway and propagated to the route table. In case of non BGP based tunnels, you have to manually add the routes to the LAN configuration address space and then if you have propagation enabled, it will be propagated as well.
Feel free to test this out and let me know if you have any further questions/concerns. Thank you!
Thanks @SaiKishor-MSFT
My thought exactly