S2S VPN & Express route with Azure Firewall in the middle

Question

Dear All,

I've a setup with a S2S vpn to reach on-prem ressource and UDR on vnet to force the traffic to use Azure Firewall (on hub subscription).

Recently we've configure express route circuit to replace the S2S vpn. Express route circuit & ER virtual network gaetway has been created on a new vnet (different of S2S FW and VPN Gateway).

Now, we would like migrate the traffic to express route circuit but we would like to keep the existing Azure firewall in place, but how to "connect" the Azure firewall to the ER circuit as they are on different vnets ? With vnet peerings ?

Thanks

Answer 1

Hi RL

Greetings!

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

Yes, your observation is correct. With the help of VNet peering, you will be able to establish a connection.

1. Set up VNet peering between the VNet that contains the Azure Firewall and the VNet that contains the ExpressRoute Gateway. This allows resources in both VNets to communicate with each other.
2. Ensure that you enable "Allow forwarded traffic" on the peering settings of the VNet that contains the Azure Firewall.
3. After establishing VNet peering, you will need to configure the User Defined Routes (UDRs) in the VNet that contains the resources you want to route through the Azure Firewall.

Please refer to the information below regarding virtual network traffic routing with (UDRs):

Refer: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview

Using VNet peering is a valid and effective way to connect your Azure Firewall to an ExpressRoute circuit when they are in different Vets.

---

Hope this clarifies!

If above is unclear and/or you are unsure about something add a comment below.

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Regards,

Ganesh