Route table on VPN gateway subnet issue

Rim Abboudi 16 Reputation points Microsoft Employee
2021-05-26T17:43:39.633+00:00

Hello,

We have set up a VPN between Azure and onpremises with BGP enabled, it works fine. One of the requirements is that all the traffic (ftom and to onpremises) should be filtered by an Azure Firewall, so we set up the Azure Firewall and added a UDR on the gatewaysubnet to route the traffic coming from onpremises to the Azure firewall.
(The routing rule placed on the gateway subnet is as follows :

  • Address prefix = the address range allocated to Azure
  • Next hop type = Virtual appliance
  • Next hop IP address = the private ip address of the Azure Firewall
    The routing rules placed on the AzureFirewallSubnet is as follows :
  • Rule 1
  • 0.0.0.0/0 -> internet
  • Rule 2
  • the address range allocated to Azure -> Virtual Network
  • Rule 3
  • the onpremises address ranges -> Virtual Network Gateway
    The routing rule placed on a subnet in the same vnet as the vpn gateway and the azure firewall (the subnet contains a VM for testing purposes)
  • 0.0.0.0/0 -> the private ip address of the Azure Firewall

When we try to ping the VM from onpremises with no UDR, it works just fine.
When we position these custom route tables, it does not work anymore (we tested with BGP propagation enabled on the route table positionned on the gatewaysubnet as well). Nothing shows on the Azure Firewall logs (the flows are allowed on the azure firewall)

Are we missing something ? Your help would be really great
Thank you

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,375 questions
0 comments

6 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rim Abboudi 16 Reputation points Microsoft Employee
    2021-06-02T18:19:28.917+00:00

    Hello,

    Thank you for response. I'll remove the UDR from the Azure Firewall Subnet.

    Actually, the traffic coming from on-premises must go through the Azure Firewall for filtering and that's why we need the UDR on the VPN Gateway subnet otherwise the trafic will reach the destination and bypass the Azure Firewall.

    Thank you for your precious help !

    1 person found this answer helpful.
  2. SaiKishor-MSFT 17,181 Reputation points
    2021-06-01T21:47:59.84+00:00

    @Anonymous Thank you for reaching out to Microsoft Q&A.

    I understand that you have questions regarding your S2S VPN routing. Upon looking at your setup, you need the following routes:

    • You do not need to add UDR to the Firewall subnet as it learns the routes via BGP
    • To route the subnet traffic through the firewall, you need a User Defined route (UDR) that points to the firewall on the subnets route table.
    • The gateway subnet should have a system route to route traffic to the vnet by default so you wont need to add anything here as well.

    As you mentioned, without the UDR route, everything works well, right? Is there any reason that you want to add this UDR?

    Thank you!

    0 comments
  3. Rim Abboudi 16 Reputation points Microsoft Employee
    2021-06-03T08:25:56.023+00:00

    Hello,

    The issue is still present when we add the route table on the VPN gateway subnet and we need the route table to ensure that the trafic goes through the Azure Firewall.

    0 comments
  4. Morten Pedholt 1 Reputation point MVP
    2021-06-09T04:42:10.883+00:00

    @Anonymous i also haveing this issue, please share if you find a solution.

  5. Rim Abboudi 16 Reputation points Microsoft Employee
    2021-06-14T07:51:25.137+00:00

    Hello,

    Yes, I've done the same as you (vpn route table). I've also added a specific route to the vnet containing the Azure Firewall (virtual appliance in your case) on the spoke vnets to force the traffic to the Azure firewall and I disabled the bgp propagation on all the route tables except the VPN gateway one.