Forum Discussion
Hub spoke design with NVA firewall
I have my Azure landing zone setup but it isn't working as i expected.
So i have a vnet named vnet-lz-fw-001 with 2 subnets. External and Trusted.
I then have a NVA Watchguard Firewall with an interface on each subnet.
I then have 2 further vnets, vnet-lz-prod-001 and vnet-lz-id-001.
Each of these vnets has peering to vnet-lz-fw-001 but no peering between each other.
vnet-lz-prod-001 and vnet-lz-id-001 have user defined routes to point to each other via the trusted interface on the Watchguard NVA
The Watchguard firewall has static routes to point to each subnet in the vnets via the Trusted interface gateway address.
Virtual machines in both vnet-lz-prod-001 and vnet-lz-id-001 can ping each other, but when they do its not routing via the Watchguard firewall. Is this as expected behavior?
Virtual machines in both vnet-lz-prod-001 and vnet-lz-id-001 can ping the trusted interface on the Watchguard Firewall ok
1 Reply
Even though you've set up User Defined Routes (UDRs) to point traffic through the Watchguard NVA, Azure VNet peering by default allows direct routing between peered VNets, which means:
• Azure will prefer system routes over UDRs if the destination is reachable via peering.
• So traffic between and is taking the direct peering path, bypassing your firewall.Please try to:
- Disable "Allow forwarded traffic" on the peering between spokes and hub:
- This prevents Azure from automatically forwarding traffic between spokes via peering.
- Ensure UDRs are applied to the VM subnets in both spokes:
- Set the next hop to the Trusted interface IP of the Watchguard NVA.
- Enable IP forwarding on the NVA’s NICs:
- Required for the NVA to route packets between interfaces.
- Ensure the NVA has return routes for both spoke subnets:
- These should point back to the respective source subnet via the Trusted interface.
