Route Traffic via Azure Firewall

%3CLINGO-SUB%20id%3D%22lingo-sub-2103505%22%20slang%3D%22en-US%22%3ERoute%20Traffic%20via%20Azure%20Firewall%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2103505%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20a%20number%20of%20virtual%20networks%20within%20a%20subscription%20and%20a%20hub%20network%20which%20hosts%20an%20Azure%20Firewall.%20Within%20each%20network%20is%20a%20virtual%20machine%20with%20a%20public%20IP.%20I%20can't%20peer%20the%20networks%20to%20the%20hub%20as%20these%20all%20need%20to%20be%20completely%20isolated.%20Is%20it%20possible%20to%20setup%20RPD%20rules%20on%20the%20firewall%20to%20route%20to%20the%20different%20Public%20IPs%20within%20each%20network.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIm%20thinking%20of%20NAT%20rules%20with%20different%20ports.%20but%20i%20cant%20get%20this%20to%20work%20even%20if%20i%20just%20use%203389.%20Im%20thinking%20its%20something%20to%20do%20with%20routing%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20ideas%2C%20or%20even%20a%20better%20way%20to%20do%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi, 

 

I have a number of virtual networks within a subscription and a hub network which hosts an Azure Firewall. Within each network is a virtual machine with a public IP. I can't peer the networks to the hub as these all need to be completely isolated. Is it possible to setup RPD rules on the firewall to route to the different Public IPs within each network.

 

Im thinking of NAT rules with different ports. but i cant get this to work even if i just use 3389. Im thinking its something to do with routing?

 

Any ideas, or even a better way to do this?

 

Thanks 

1 Reply

@JacksWastedLife 

 

Hi 

 

Even if they are peered with hub spokes are still isolated until you allow forwaded traffic. 

You can create proper rule to deny unauthorised traffic at the subnet and firewall level . By doing that you can filter and log all traffic in and out 

You can eliminate all the public IP and use dnat rules  if you don't want to put vpn Gateway 

 

Tutorial: Filter inbound Internet traffic with Azure Firewall DNAT using the portal | Microsoft Docs