MatB-0201 avatar image
0 Votes"
MatB-0201 asked GitaraniSharmaMSFT-4262 commented

Azure Express route forced-tunneling with NVA

I want to set-up forced tunneling in Azure. All traffic destined to internet should be routed to on-prem and exit to internet from there.
- As far as i understand i need to advertise default route via BGP in Azure so that it replaces internet default route and send everything to on-prem via Express route.
- Then i make UDRs next hop to NVA Cisco firewall on all subnets in Azure.

All traffic from Azure subnets will go to NVA and from there it will be routed to on-prem or to another vNET.

Question is what about the traffic coming from on-prem to Azure ? I want that traffic to also go through NVA cisco firewall. How could it be done as gateway subnet do not support UDRs with Express route setup.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

GitaraniSharmaMSFT-4262 avatar image
2 Votes"
GitaraniSharmaMSFT-4262 answered GitaraniSharmaMSFT-4262 commented

Hello @MatB-0201 ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

Your initial understanding of the setup is correct.
You will have to advertise a default route of via BGP from your on-premises to Azure, so that all your Azure traffic is sent to your on-premises via the ExpressRoute. And in order to filter all that traffic by an NVA, you can add a UDR with on all the subnets (except the NVA subnet) with next hop as your Cisco Firewall NVA.

This setup will take care of the routing from Azure to on-prem which will go as below:
All subnets --> Cisco NVA --> ExpressRoute gateway --> On-premises.

Now coming back to your question on what about the return traffic, yes GatewaySubnet do not support UDRs but it supports UDRs with other address prefixes.
Hence, you can add a UDR to the ExpressRoute GatewaySubnet with the address prefix of your Vnet range with next hop type Virtual Appliance and IP address of your Cisco NVA. This will make sure that any traffic that comes from your on-premises for your Azure Vnet range, when reaches your ExpressRoute gateway will be forwarded to the Cisco NVA.

For example : If your Vnet address range is then you can add a UDR to your ExpressRoute GatewaySubnet as below:
Address prefix : --> Next hop = Virtual Appliance --> Next hop = IP address of Cisco NVA
So the routing from On-prem to Azure will go as below:
On-premises --> ExpressRoute gateway --> Cisco NVA --> All subnets.

Kindly let us know if the above helps or you need further assistance on this issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 12
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

very well explained. will try....Thankyou .. I have NVA behing ILB. hope this will work fine in that setup too ?

1 Vote 1 ·

Tested a bit more about this issue. Looks like traffic is actually passing through the Cisco NVA but somehow not visible in event logs. Azure Connection troubleshoot is also not showing the correct path. I added a block rule in Cisco NVA which showed the event logs and blocked the traffic too.

1 Vote 1 ·

Thank you for the update, @MatB-0201.

Please let us know if you need any further assistance on this issue.


0 Votes 0 ·
kaadmin-6235 avatar image kaadmin-6235 GitaraniSharmaMSFT-4262 ·

Hi Sharma,

The case above depicts the scenario we have. But in our case, we use a Palo Alto NVA behind a ILB. All routing looks fine, but the return traffic doesn't go through the Palo NVA with this setup...

Azure to On-prem works fine like this:
Subnets --> ILB -> Palo NVA -> ExpressRoute gateway --> On-Premises

The routing from On-prem to Azure should go as below:
On-premises --> ExpressRoute gateway --> ILB -> Palo NVA --> All subnets.

Instead it goes like this, causing asymmetric traffic flow:
On-premises --> ExpressRoute gateway --> All subnets

What could be the problem??

0 Votes 0 ·
Show more comments

what if i want traffic to my NVA management subnet go directly ? How will UDR look like ? will it be like destination mgmt subnet next-hop virtual network or the gateway ip address of the management subnet ?

0 Votes 0 ·

Hello @MatB-0201 ,

Could you please explain this query a bit further? Which traffic are you referring to here & from where?


0 Votes 0 ·
MatB-0201 avatar image MatB-0201 GitaraniSharmaMSFT-4262 ·

I have NVA in another management subnet behind internal loadbalancer. On-prem FMC needs to talk to NVA which is a Cisco FTD. With a route to NVA on gateway-subnet all traffic including to NVA management subnet was going towards NVA interface. I applied a more specific route for managment NVA subnet with next hop virtual network. This seems to be working fine.

I noticed that routing to bigger subnets is not working like /16. it works fine as i apply routing to more specific subnets /24. If i have many /24 subnets in a vnet then a route towards all of them with /16 should work fine ?

second question is that after advertising default route to Azure if i want to restrict some traffic going to on-prem networks what type of UDR can be applied in Azure? network with next-hop NONE is for this purpose ?

0 Votes 0 ·
Show more comments

Thankyou for the detailed answer. One thing is still not clear about UDRs:
take this flow
All subnets --> Cisco NVA (ILB/FW)--> ExpressRoute gateway --> On-premises.

ICMP traffic from Azure VM to on-premises resource is working fine going through the firewall as intended but when i change the destination port f.eks TCP 4040. it goes directly to on-premises resource bypassing the firewall. Can not understand why it is so. Have also tried /32 UDR to resource. Route propogation on the subnet is OFF so it does not have a direct route to on-premises routes. Have checked the effective routes.

Next hop shows the correct NVA IP of ILB. Azure connection troubleshoots also reflects the same. Correct path while using ICMP but going directly with any other port.

I am actually trying to use an on-premises proxy server for internet traffic instead of routing a default route in Azure as previously discussed.
note : the on-prem proxy server is using an ip address from public ip range.

0 Votes 0 ·

Hello @MatB-0201 ,

I won't be able to confirm the cause of this issue without checking your setup.

Could you please send us an email as requested over the private message?

Gita Sharma

0 Votes 0 ·