Azure Vnet Peering Connection Filtered by Azure Firewall

Azure Vnet Peering Connection Filtered by Azure Firewall

Image:https://docs.microsoft.com/en-us/azure/firewall-manager/secure-hybrid-network

This lab is pretty simple. The main idea is to filter Vnet peering connections. There are three Vnets in this architecture, one as hub, hosting Azure Firewall and other two as spokes, hosting VMs.

Spokes will peer with hub, traffics between spokes are forwarded to Azure Firewall for filtering and controlling, then Azure Firewall will forward the traffics to where it should be.

Key points to make this architecture works:

Create a FW policy as it will be needed by Azure FW as well as filtering and controlling traffics between spoke1 and spoke2. I made two rules for verification which are

  1. Spoke1 can ssh Spoke2 ; Spoke2 CANNOT ssh Spoke1
  2. Spoke2 can ping Spoke1 ; Spoke1 CANNOT ping Spoke2
Azure Vnet Peering Connection Filtered by Azure Firewall

Create a Hub Vnet. Next, transform it into a secured Vnet by deploying Azure FW with FW policy to the Hub Vnet.

Azure Vnet Peering Connection Filtered by Azure Firewall

Next, peer spoke1 & 2 with Hub Vnet

Azure Vnet Peering Connection Filtered by Azure Firewall

Once done, it will look like this

Azure Vnet Peering Connection Filtered by Azure Firewall

Transitive peering is not supported by default. Therefore, at this moment, spoke1 and spoke2 can talk to Hub BUT spoke1 and spoke2 CANNOT talk to each other through Hub. Therefore, Azure FW and UDRs are needed.

Configure UDR for spoke1 indicating traffics to spoke2 are forwarded to Azure Firewall.

Azure Vnet Peering Connection Filtered by Azure Firewall
Azure Vnet Peering Connection Filtered by Azure Firewall

Do the same thing for spoke2.

Azure Vnet Peering Connection Filtered by Azure Firewall
Azure Vnet Peering Connection Filtered by Azure Firewall

And that’s it! Now, traffics between spoke1 and spoke2 are now filtered and controlled by Azure Firewall. Let’s verify.

Azure Vnet Peering Connection Filtered by Azure Firewall
Azure Vnet Peering Connection Filtered by Azure Firewall

https://docs.microsoft.com/en-us/azure/firewall-manager/secure-hybrid-network

AWS Certified SA, SysOps & Developer Associate, Alibaba Cloud certified SA. Focusing on Azure, Prometheus w/ Grafana, ELK and K8S now.