question

BigfootDivorcedMe03-0944 avatar image
0 Votes"
BigfootDivorcedMe03-0944 asked GitaraniSharmaMSFT-4262 answered

Azure InterfaceEndpoint Routes Bypassing Palo Alto Firewall

Situation: Deployed two Palo Alto VM firewalls in Azure in a 'Transit VNet' following the Palo Alto Networks design, https://www.paloaltonetworks.com/resources/reference-architectures/azure.


When you peer a VNet to the Transit VNet, the remote VNet’s network is learned in all of the routing tables on the Transit VNet. To force traffic to take the Palo Alto firewalls:

-The Route Table on the remote VNet needs a UDR installed to point traffic to the load balancer’s frontend IP.

-The Route Table on the Virtual Network Gateway Subnet needs a UDR for the remote VNet’s network to point traffic to the load balancer’s frontend IP.


131217-image.png


Route Tables have a UDR entry limitation of 400 entries, https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-...


Some resources when deployed create an InterfaceEndpoint route which advertises it’s own /32 route to the Transit VNet:

-Since these are more specific routes than the existing UDR on the Virtual Network Gateway Subnet, /32 versus /23 as an example, that covers the Subscriber VNet’s network, traffic bypasses the firewall.

-The only resolution that Microsoft has given is to update the UDR on the Virtual Network Gateway Subnet to cover the /32 route for the individual InterfaceEndpoint's IP address.


This causes the following issues:

-It causes a security problem because anytime an InterfaceEndpoint route is created, it bypasses the firewall. This causes a secondary problem in that folks managing the Transit VNet have to catch these being built so you can add the needed UDR on the Virtual Network Gateway Subnet's Route Table to get traffic routed to the load balancer so it can get to the firewall.

-It’s un-scalable to be adding a UDR on the Virtual Network Gateway Subnet's Route Table every time a InterfaceEndpoint route Is created with the 400 UDR limitation on route tables.


Has anybody else experienced the same thing and if so, what was the resolution? If you haven't seen it, any suggestions for resolution?


azure-vpn-gatewayazure-load-balancer
image.png (139.4 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @BigfootDivorcedMe03-0944 ,

Apologies for the delay in response.

May I know if the below PaaS Interface Endpoint is a Private Endpoint service that you have deployed?

131906-image.png

Interface Endpoint routes are applied when Private Endpoint service is deployed and your scenario looks like the Scenario 2 from the below article which is why it's possible to run into the 400 routes limit on UDR.
https://docs.microsoft.com/en-us/azure/private-link/inspect-traffic-with-azure-firewall
Could you please confirm?

Thanks,
Gita


0 Votes 0 ·
image.png (20.1 KiB)

GitaraniSharma-MSFT,

That is correct, the PaaS Interface Endpoint is indeed a Private Endpoint service. So the particular scenario in the link you referenced is the fourth one. If I'm understanding what the article is saying correctly, the needed action is to add a UDR to the Virtual Network Gateway's Route Table every time a new Private Endpoint is created. Due to the 400 UDR limitation is an un-scalable means of resolution as a handful of peered VNets could deploy enough resources with Private Endpoints to overwhelm that 400 UDR limitation.

0 Votes 0 ·

1 Answer

GitaraniSharmaMSFT-4262 avatar image
0 Votes"
GitaraniSharmaMSFT-4262 answered

Hello @BigfootDivorcedMe03-0944 ,

Yes, currently the only way to force the Private Endpoint traffic to firewall is to add UDR with /32 route. And hence, it is advised to use a dedicated Virtual Network for Private endpoints as shown in Scenario 1 of the below article as this configuration reduces administrative overhead and prevents running into the limit of 400 routes.
https://docs.microsoft.com/en-us/azure/private-link/inspect-traffic-with-azure-firewall

The resolution in your scenario would be the use of Public preview feature of UDR support in Private endpoints. This feature enables you to route traffic destined for a Private Endpoint over an NVA or Firewall without complex configuration of specific routes (UDR) on the subnets. This also enables you to easily scale on Private Endpoints without reaching any limit on UDRs while satisfying auditing and compliance requirements.
However, this preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
Refer : https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview#limitations

So, you can either opt for this Public preview of UDR support by registering the feature at the moment or can wait till it's GA with SLA agreement.
In case, you would like to try out the Public preview of UDR support, you can refer the below article:
https://azure.microsoft.com/en-us/updates/public-preview-of-private-link-udr-support/

NOTE: This feature will be available in the following regions:
UsEast2Euap, UsCentralEuap, WestCentralUS, WestUS, WestUS2, EastUS, EastUS2

Kindly let us know if the above helps or you need further assistance on this issue.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.