Forum Discussion
Spoke-Hub-Hub Traffic with VPN Gateway BGP and Firewall Issue
Hello,
I’m facing a situation where I’m trying to have Azure Firewall Inspection on the VPN Gateway VNET-VNET Connectivity. It seems to work if I go from SpokeA-HubAFirewall-HubAVPN—HubBVPN-SpokeB but if I try to go from SpokeA-HubAFirewall-HubAVPN-HubBVM or Inbound Resolver it fails to route correctly according to Connectivity Troubleshooter it stops at HubAVPN with Local Error: RouteMissing but then reaches destination health so makes me believe it’s getting there but not following the route I want it to take which might be causing routing issues. What Am I missing here? This connectivity was working before introducing the Azure Firewall for Inspection with the UDR. Is what I’m trying to accomplish not possible? I’ve tried different types of UDR rules on the Gateway Subnet, and this is my most recent configuration. The reason I’m trying to accomplish this is because I’m seeing a similar error in our Hub-Spoke Hybrid environment and I’m trying to replicate the issue.
Current Configuration
2x Hubs with Spoke networks attached so example
Hub-Spoke-A Configuration:
Hub-A Contains following subnets and Resources
VPN Gateway - GateWaySubnet
Azure Firewall - AzureFirewallSubnet
Inbound Private Resolver - PrivateResolverSubnet
Virtual Machine – VM Subnet
Gateway Subnet has an attached UDR with the following routes
Propagation - True
Prefix Destination – Hub-B
Next Hop Type – Virtual Appliance
Next Hope IP – Hub-A Firewall
Prefix Destination – Spoke-B
Next Hop Type – Virtual Appliance
Next Hope IP – Hub-A Firewall
Hub-Spoke-B Configuration:
Hub-B Contains following subnets and Resources
VPN Gateway - GateWaySubnet
Azure Firewall - AzureFirewallSubnet
Inbound Private Resolver - PrivateResolverSubnet
Virtual Machine – VM Subnet
Gateway Subnet has an attached UDR with the following Routes
Propagation - True
Prefix Destination – Hub-A
Next Hop Type – Virtual Appliance
Next Hope IP – Hub-B Firewall
Prefix Destination – Spoke-A
Next Hop Type – Virtual Appliance
Next Hope IP – Hub-B Firewall
Spoke Subnets has an attached UDR with the following Routes
Propagation - True
Prefix Destination – 0.0.0.0/0
Next Hop Type – Virtual Appliance
Next Hope IP – HubA/HubB Firewall (Depending on what hub its peered to)
VPN Gateways HA VNET-VNET with BGP Enabled. I can see that it knows the routes and like I said this was working prior introducing the UDRs for force traffic through the azure firewall.
2 Replies
Below are the possible and not possible:
• Not possible: Steering VPN Gateway traffic via UDRs on GatewaySubnet to force inspection through Azure Firewall in a DIY hub. The gateway will not honor those UDRs.
• Possible approaches:
o Use Azure Virtual WAN Secure Hub with Azure Firewall. VWAN routing intent can cleanly inspect inter-hub/spoke-to-spoke and on-prem paths.
o Use Azure Route Server and have your NVA/firewall participate in BGP, so the firewall advertises/receives routes and becomes the path without relying on GatewaySubnet UDRs.
o Keep inspection to east–west spoke traffic with UDRs on spoke subnets, and let gateway traffic follow BGP/system routes. You get spoke-to-spoke inspection, but hub-to-gateway/hub-to-hub inspection is limited.So for the "Not Possible" does this also apply for VPN Gateway traffic for Hybrid connectivity?
and can you use Azure Route Server with Azure Firewall?
Also separate issue all together but decided to remove the firewall from the equation and just ensure Hub-Hub/VNET-VNET was working and no dice either. I've removed all the route tables and left the defaults I keep seeing Egress mismatch packets and same error about route missing.
