Share via

Route all outcoming traffic from Azure VM via Azure Firewall to on promise

Anonymous
2024-02-22T15:45:08.0866667+00:00

We are utilizing a Hub and Spoke network topology within our Azure environment and are aiming to establish a network architecture that mirrors this setup. Specifically, we have an Azure VM located in a Spoke (subnet) that is paired with the Hub Vnet housing the Azure firewall. The primary purpose of the Azure Firewall is to restrict all internet connections and direct traffic towards the On-premise network. Both the Azure network and the on-premise network are linked through an S2S VPN connection. To define a route for the Azure VM to follow, ensuring it passes through the hub towards the On-premise network and subsequently to the Internet, what steps should be taken?

The goal in the end is (a PoC) that we connect an Azure VM to the Internet exclusively through the On promises network.

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,399 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
580 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,194 questions
Accepted answer
  1. KapilAnanth-MSFT 36,396 Reputation points Microsoft Employee
    2024-02-29T13:56:06.3233333+00:00

    @Salem Elaiba ,

    I am afraid this won't be possible. Resource specific traffic routing is not possible.

    I am not sure how Azure VDI is configured, however, if this is a part of a subnet, then you can still use Azure Route Tables (UDR).

    Before doing this, I would suggest you deploy a testVM in Azure and make sure Forced tunneling is properly configured for this VM.

    If this works, then please make the configuration changes in the VDI environment.

    Looking at the Networking components and concepts for AVD, this should be supported.

    • In a forced-tunneling scenario, all internet-bound traffic that originates on Azure virtual machines (VMs) is routed, or forced, to go through an inspection and auditing appliance. Unauthorized internet access can potentially lead to information disclosure or other types of security breaches without the traffic inspection or audit.
    • User-defined routes (UDRs) can be used to override Azure default system routes. You can also use UDRs to add extra routes to a subnet route table.

    Kindly let us know if this helps or you need further assistance on this issue.

    Thanks, Kapil

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest