Share via

Network Hub and spoke

Allan Guerreiro 0 Reputation points
2025-02-17T15:19:06.57+00:00

I have the following scenario,

Virtual network gateway (only one)

  • This network gateway has VPN IPSEC connected.
  • This network gateway has VPN Point-to-Site (Aovpn)
  • This network gateway provides the routing for other vnet using the architecture hub and spoke

Azure firewall (only one)

  • provides traffic filter

UDR

  • There is one UDR on SubnetGateway, and this subnet points traffic with destination 192.168.100.0/24 to Azure Firewall.
  • There is one UDR on the Firewall Azure Subnet returning this traffic to the virtual network gateway.

Local network gateway

  • Has the VPN with the address space 192.168.100.0/24

Problem

  • Traffic with the destination to 192.168.100.0/24 completely ignores the UDR and sends it directly to the VPN IPSEC, bypassing the Azure firewall.

Question:

  • Why does the traffic ignore the UDR applied on the SubnetGateway?
  • How can I force the traffic to pass through the Azure firewall?
  • Does the route of Local Virtual Gateway have a higher priority than UDR?
Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,650 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
723 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Deepanshu katara 14,080 Reputation points MVP
    2025-02-17T16:10:15.8366667+00:00

    Hello Allan , Welcome to MS Q&A

    1- Answer to 1st Question --> In Azure, routes learned via BGP (Border Gateway Protocol) have a higher priority than User Defined Routes (UDR). Since the Virtual Network Gateway (VNG) learns routes dynamically via BGP from the on-premises network (over VPN IPsec or ExpressRoute), any traffic destined for 192.168.100.0/24 is likely being learned dynamically via BGP from the VPN and taking precedence over the UDR.

    Since BGP routes have a higher priority than UDRs, the traffic destined for 192.168.100.0/24 will bypass the UDR and go directly to the VPN tunnel. Please check https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-bgp-overview?source=recommendations

    2 - Answer to 2nd Question --> To force traffic destined for 192.168.100.0/24 to be inspected by the Azure Firewall, you can Disable BGP Route Propagation on the SubnetGateway UDR. Please check this doc to disable and for more ref https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview#custom-routes

    https://azure.microsoft.com/en-gb/updates?id=disable-route-propagation-ga-udr#:~:text=If%20you're%20connecting%20your,BGP%20routes%20from%20being%20propagated.

    3- Answer to 3rd Question --> Yes, BGP-learned routes from the Virtual Network Gateway have higher priority than UDRs unless route propagation is disabled.

    • If BGP route propagation is enabled, any BGP-learned routes override UDRs.
    • If BGP route propagation is disabled, UDRs take full control, and you can enforce firewall routing.

    For more ref check this --> https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-bgp-overview?source=recommendations

    Please let me know if any questions

    Kindly accept answer if it helps

    Thanks

    Deepanshu

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.