Forum Discussion

Michail_Kops's avatar
Michail_Kops
Copper Contributor
Oct 02, 2021
Solved

Azure Firewall Cross Region Connection

Hi,    I want to make a question because i am a little bit frustrated. Can i use the same Azure Firewall instance to connect 2 VM's that are in the same resource group but in different regions;; ...
  • pazdedav's avatar
    pazdedav
    Oct 13, 2021

    Hi Michail_Kops ,

     

    To elaborate a bit more on the answer provided by ibrahimambodji:

     

    As you know, VNets don't span multiple regions, so I assume that you have one VNet in each region, where you deployed VMs.

     

    The recommended approach is to use the 'Hub and Spoke' design pattern for your VNets in Azure and have:

    • one "Hub" VNet (in let's say Region 1) that will host your Azure Firewall instance (and eventually other central components like VPN gateway, Azure Bastion, etc.)
    • two "Spoke" VNets (one in Region 1 and another one in Region 2) that will host your VMs / workloads
    • establish VNet peering: 1) Spoke 1 - Hub, 2) Spoke 2 - Hub (this one is a cross-regional peering)
    • create a Route Table with the default route (0.0.0.0/0) with the private IP of your Azure Firewall instance as a next hop. Associate this Route Table with subnets in your Spoke 1 and 2 VNets
    • create a firewall policy in Azure Firewall that will permit traffic between these two spoke VNets based on your requirements
    • if you are using NSGs as well, ensure that the traffic can be accepted between the Spokes
pazdedav's avatar
pazdedav
MVP
Oct 13, 2021

Hi Michail_Kops ,

 

To elaborate a bit more on the answer provided by ibrahimambodji:

 

As you know, VNets don't span multiple regions, so I assume that you have one VNet in each region, where you deployed VMs.

 

The recommended approach is to use the 'Hub and Spoke' design pattern for your VNets in Azure and have:

  • one "Hub" VNet (in let's say Region 1) that will host your Azure Firewall instance (and eventually other central components like VPN gateway, Azure Bastion, etc.)
  • two "Spoke" VNets (one in Region 1 and another one in Region 2) that will host your VMs / workloads
  • establish VNet peering: 1) Spoke 1 - Hub, 2) Spoke 2 - Hub (this one is a cross-regional peering)
  • create a Route Table with the default route (0.0.0.0/0) with the private IP of your Azure Firewall instance as a next hop. Associate this Route Table with subnets in your Spoke 1 and 2 VNets
  • create a firewall policy in Azure Firewall that will permit traffic between these two spoke VNets based on your requirements
  • if you are using NSGs as well, ensure that the traffic can be accepted between the Spokes
lorenz-haenggi-jarowa's avatar
lorenz-haenggi-jarowa
Copper Contributor
Nov 22, 2021
Dear David. Great answer and details. Thanks. I have the same issue and could solve it with your tip.