Subnets behind Azure Firewall

%3CLINGO-SUB%20id%3D%22lingo-sub-1792068%22%20slang%3D%22en-US%22%3ESubnets%20behind%20Azure%20Firewall%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1792068%22%20slang%3D%22en-US%22%3EIs%20it%20possible%20to%20advertise%20actual%20source%20IPs%20on%20azure%20VM%20that%20sits%20behind%20Azure%20firewall%20to%20onprem%20network%3F%20Currently%20everything%20is%20advertised%20with%20single%20azure%20firewall%20IP.%20Thanks%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1831498%22%20slang%3D%22en-US%22%3ERe%3A%20Subnets%20behind%20Azure%20Firewall%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1831498%22%20slang%3D%22en-US%22%3EHi%20Sjactivity.%20It%20is%20possible%2C%20i%20am%20using%20this%20solution.%3CBR%20%2F%3Eyou%20can%20following%20on%20this%20link%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffirewall%2Ftutorial-hybrid-portal%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffirewall%2Ftutorial-hybrid-portal%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3Efor%20my%20implement%20setting.%3CBR%20%2F%3E1.%20On%20your%20WVD%20VNet%2C%20subnet%20route%20your%20traffic%20to%20Azure%20Firewall%20(Connection%20from%20WVD%20to%20On-Prem)and%20on%20Peering%20setting%20set%20Configure%20forwarded%20traffic%20settings%3A%20Enable%3CBR%20%2F%3E--%20The%20Traffic%20will%20route%20in%20to%20Azure%20Firewall%3CBR%20%2F%3E1.1%20At%20route%20table%20set%20configuration%20-%26gt%3BPropagate%20gateway%20routes%3A%20no%3CBR%20%2F%3E---%20to%20prevent%20the%20propagation%20of%20on-premises%20routes%20to%20the%20network%20interfaces%20in%20associated%20subnets.%3CBR%20%2F%3E%3CBR%20%2F%3E2.%20At%20Azure%20Firewall%20config%20rule%20that%20you%20want%20to%20allow%20traffic%20allow%20to%20Onprem%20network%3CBR%20%2F%3E--%20The%20Firewall%20will%20allow%20traffic%20to%20destination.%20By%20default%20if%20you%20propagate%20on%20prem%20network%20route%20by%20set%20at%20local%20network%20gateway%20(Static%20or%20BGP)%2C%20Azure%20Firewall%20Vnet%20will%20see%20network%20on%20prem%3CBR%20%2F%3E%3CBR%20%2F%3E3.%20At%20GatewaySubnet%2C%20you%20need%20to%20create%20route%20table%20to%20set%20destination%20WVD%20network%20route%20to%20AzureFW%20(Connection%20from%20On-Prem%20to%20WVD)%3C%2FLINGO-BODY%3E
Highlighted
Occasional Visitor
Is it possible to advertise actual source IPs on azure VM that sits behind Azure firewall to onprem network? Currently everything is advertised with single azure firewall IP. Thanks
1 Reply
Highlighted
Hi Sjactivity. It is possible, i am using this solution.
you can following on this link: https://docs.microsoft.com/en-us/azure/firewall/tutorial-hybrid-portal

for my implement setting.
1. On your WVD VNet, subnet route your traffic to Azure Firewall (Connection from WVD to On-Prem)and on Peering setting set Configure forwarded traffic settings: Enable
-- The Traffic will route in to Azure Firewall
1.1 At route table set configuration ->Propagate gateway routes: no
--- to prevent the propagation of on-premises routes to the network interfaces in associated subnets.

2. At Azure Firewall config rule that you want to allow traffic allow to Onprem network
-- The Firewall will allow traffic to destination. By default if you propagate on prem network route by set at local network gateway (Static or BGP), Azure Firewall Vnet will see network on prem

3. At GatewaySubnet, you need to create route table to set destination WVD network route to AzureFW (Connection from On-Prem to WVD)