cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Azure Firewall Cross Region Connection

Michail_Kops
Copper Contributor

‎Oct 02 2021 08:03 AM

‎Oct 02 2021 08:03 AM

Azure Firewall Cross Region Connection

Hi, 

 

I want to make a question because i am a little bit frustrated.

Can i use the same Azure Firewall instance to connect 2 VM's that are in the same resource group but in different regions;;

Thank you!

7,059 Views
0 Likes
3 Replies
Reply
3 Replies
ibnmbodji

‎Oct 13 2021 10:47 AM

‎Oct 13 2021 10:47 AM

Re: Azure Firewall Cross Region Connection

@Michail_Kops 

 

Hi 

 

Yes you can but you need to redirect the traffic via route tables to be able to see it and manage it with the firewall . Here the logical container and the region doesn't matter .since virtual network peering can be done cross region  you just need to ensure than the address spaces you are using are not overlapping 

0 Likes
Reply
best response confirmed by Namrata_Chaurasia (Microsoft)
David Pazdera

‎Oct 13 2021 02:24 PM

‎Oct 13 2021 02:24 PM

Solution

Re: Azure Firewall Cross Region Connection

Hi @Michail_Kops ,

 

To elaborate a bit more on the answer provided by ibrahimambodji:

 

As you know, VNets don't span multiple regions, so I assume that you have one VNet in each region, where you deployed VMs.

 

The recommended approach is to use the 'Hub and Spoke' design pattern for your VNets in Azure and have:

  • one "Hub" VNet (in let's say Region 1) that will host your Azure Firewall instance (and eventually other central components like VPN gateway, Azure Bastion, etc.)
  • two "Spoke" VNets (one in Region 1 and another one in Region 2) that will host your VMs / workloads
  • establish VNet peering: 1) Spoke 1 - Hub, 2) Spoke 2 - Hub (this one is a cross-regional peering)
  • create a Route Table with the default route (0.0.0.0/0) with the private IP of your Azure Firewall instance as a next hop. Associate this Route Table with subnets in your Spoke 1 and 2 VNets
  • create a firewall policy in Azure Firewall that will permit traffic between these two spoke VNets based on your requirements
  • if you are using NSGs as well, ensure that the traffic can be accepted between the Spokes
2 Likes
Reply
lorenz-haenggi-jarowa

‎Nov 22 2021 11:11 AM

‎Nov 22 2021 11:11 AM

Re: Azure Firewall Cross Region Connection

Dear David. Great answer and details. Thanks. I have the same issue and could solve it with your tip.
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Namrata_Chaurasia (Microsoft)
David Pazdera

‎Oct 13 2021 02:24 PM

‎Oct 13 2021 02:24 PM

Solution

Re: Azure Firewall Cross Region Connection

Hi @Michail_Kops ,

 

To elaborate a bit more on the answer provided by ibrahimambodji:

 

As you know, VNets don't span multiple regions, so I assume that you have one VNet in each region, where you deployed VMs.

 

The recommended approach is to use the 'Hub and Spoke' design pattern for your VNets in Azure and have:

  • one "Hub" VNet (in let's say Region 1) that will host your Azure Firewall instance (and eventually other central components like VPN gateway, Azure Bastion, etc.)
  • two "Spoke" VNets (one in Region 1 and another one in Region 2) that will host your VMs / workloads
  • establish VNet peering: 1) Spoke 1 - Hub, 2) Spoke 2 - Hub (this one is a cross-regional peering)
  • create a Route Table with the default route (0.0.0.0/0) with the private IP of your Azure Firewall instance as a next hop. Associate this Route Table with subnets in your Spoke 1 and 2 VNets
  • create a firewall policy in Azure Firewall that will permit traffic between these two spoke VNets based on your requirements
  • if you are using NSGs as well, ensure that the traffic can be accepted between the Spokes

View solution in original post

2 Likes
Reply