Forum Discussion
Spoke-Hub-Hub Traffic with VPN Gateway BGP and Firewall Issue
Below are the possible and not possible:
• Not possible: Steering VPN Gateway traffic via UDRs on GatewaySubnet to force inspection through Azure Firewall in a DIY hub. The gateway will not honor those UDRs.
• Possible approaches:
o Use Azure Virtual WAN Secure Hub with Azure Firewall. VWAN routing intent can cleanly inspect inter-hub/spoke-to-spoke and on-prem paths.
o Use Azure Route Server and have your NVA/firewall participate in BGP, so the firewall advertises/receives routes and becomes the path without relying on GatewaySubnet UDRs.
o Keep inspection to east–west spoke traffic with UDRs on spoke subnets, and let gateway traffic follow BGP/system routes. You get spoke-to-spoke inspection, but hub-to-gateway/hub-to-hub inspection is limited.
So for the "Not Possible" does this also apply for VPN Gateway traffic for Hybrid connectivity?
and can you use Azure Route Server with Azure Firewall?
Also separate issue all together but decided to remove the firewall from the equation and just ensure Hub-Hub/VNET-VNET was working and no dice either. I've removed all the route tables and left the defaults I keep seeing Egress mismatch packets and same error about route missing.
