Can you tell us how to configure multiple-spoke virtual networks in Azure Firewall when you adopt a hub-spoke network topology in Azure?
Can you tell us how to configure multiple-spoke virtual networks in Azure Firewall when you adopt a hub-spoke network topology in Azure?
Hello @GitaraniSharmaMSFT-4262 ,
Thank you very much.
The information in the answer was helpful. It was also helpful for the link guidance.
Hello @SHIMIZUTAKAHIRO-0306 ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
In order to setup a Hub and Spoke architecture with an Azure Firewall, you will have to:
Deploy the Azure Firewall in the Hub subnet.
Peer the Hub and Spoke Vnets.
Create User Defined Routes (UDRs) on the spoke subnets that points to the Azure Firewall IP address as the default gateway.
If you have a site to site connection using VPN gateway between Azure and your on-premises and need the traffic to go through Azure Firewall, then for the spokes to use the hub gateway to communicate with remote networks, you must create a UDR on the hub gateway subnet pointing to the firewall IP address as the next hop and configure the below options in the Hub-spoke Vnet peering:
- Configure the peering connection in the hub to allow gateway transit.
- Configure the peering connection in each spoke to use remote gateways.
- Configure all peering connections to allow forwarded traffic.
Here are a few docs of Hub and Spoke architectures with Azure Firewall for your reference :
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli
https://docs.microsoft.com/en-us/azure/firewall/tutorial-hybrid-ps
https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/hub-spoke-network-topology
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" below if the information helped you. This will help us and others in the community as well.
Hi, @GitaraniSharmaMSFT-4262 Does Azure Firewall works across different subscription?
Hello @EnterpriseArchitect ,
Yes, Azure Firewall works across different subscriptions.
You can deploy Azure Firewall on any virtual network, but customers typically deploy it on a central virtual network and peer other virtual networks to it in a hub-and-spoke model. You can then set the default route from the peered virtual networks to point to this central firewall virtual network. The advantage of this model is the ability to centrally exert control on multiple spoke VNETs across different subscriptions. There are also cost savings as you don't need to deploy a firewall in each VNet separately.
Regards,
Gita
Hi @GitaraniSharmaMSFT-4262 Does the Azure Firewall is required or can be deployed when the Web Application or Kubernetes/Containerized apps is deployed behind Azure Application Gateway (WAF - Web Application Firewall) ?
6 people are following this question.