Share via

Route only P2s traffic through firewall

George Geoffrick G 40 Reputation points
2025-02-07T07:23:27.2033333+00:00

I have a relatively simple network setup A spoke(192.168.0.1/24) and a hub network(172.17.32.0) .In the hub network I have a firewall in firewall subnet and a vpn gateway in gateway subnet.In the vpn gateway i have configured multiple s2s tunnels and Point to site connectivity also, for remote users to connect

The goal now is simple I need only the p2s traffic to be routed through firewall without the s2s traffic going there.

I created two route table one for spoke and one for gateway subnet.
Spoke RT
10.216.1.0/24(p2s subnet) ---> Firewall

Gateway subnet RT
192.168.0.1/24(spoke subnet) ---> firewall

Firewall
10.216.1.0/24 --> 192.168.0.1/24 --> Allow

The above setup works by forwarding the whole of vpn gateway traffic to Firewall whereas I only need P2s traffic to be forwarded to firewall.Kindly assist me in this.I am also attaching an okaish diagram of the setup as wellImage

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,643 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
718 questions
Azure Route Server
Azure Route Server
An Azure service that enables network appliances to exchange route information with Azure virtual networks dynamically.
12 questions
Accepted answer
  1. Ganesh Patapati 3,605 Reputation points Microsoft Vendor
    2025-02-11T18:22:36.7+00:00

    Hello George Geoffrick G

    Apologies for delay in response!

    • As per the Network setup what you are trying to achieve is not possible.

    If you want to Implement this then I suggest you go with VWAN setup.

    I hope this has been helpful!

    Your feedback is important so please take a moment to accept answers. If you still have questions, please let us know what is needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sarthak Agarwal 1 Reputation point Microsoft Employee
    2025-02-12T04:47:43.8333333+00:00

    Hi @George Geoffrick G ,

    Hope you are doing well.

    To answer your question, Azure Route Table on the Gateway subnet doesn't allow you to bifurcate destination spoke traffic based on the source(P2S/S2S), so irrespective of traffic coming from anywhere(P2S/S2S) it would land on the firewall because of the UDR you have on the Gateway Subnet, and hence this is not possible.

    Also, this is not a recommended approach as per network security best practises. I am curious to understand the motivation behind bypassing S2S traffic from the firewall, maybe that helps me answer better.

    Regards,

    Sarthak, CSA, Microsoft

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.