This lab is pretty simple. The main idea is to filter Vnet peering connections. There are three Vnets in this architecture, one as hub, hosting Azure Firewall and other two as spokes, hosting VMs.
Spokes will peer with hub, traffics between spokes are forwarded to Azure Firewall for filtering and controlling, then Azure Firewall will forward the traffics to where it should be.
Key points to make this architecture works:
Azure Firewall Policy
Create a FW policy as it will be needed by Azure FW as well as filtering and controlling traffics between spoke1 and spoke2. I made two rules for verification which are
- Spoke1 can ssh Spoke2 ; Spoke2 CANNOT ssh Spoke1
- Spoke2 can ping Spoke1 ; Spoke1 CANNOT ping Spoke2
Create a Hub Vnet. Next, transform it into a secured Vnet by deploying Azure FW with FW policy to the Hub Vnet.
Next, peer spoke1 & 2 with Hub Vnet
Once done, it will look like this
Transitive peering is not supported by default. Therefore, at this moment, spoke1 and spoke2 can talk to Hub BUT spoke1 and spoke2 CANNOT talk to each other through Hub. Therefore, Azure FW and UDRs are needed.
Configure UDR for spoke1 indicating traffics to spoke2 are forwarded to Azure Firewall.
Do the same thing for spoke2.
And that’s it! Now, traffics between spoke1 and spoke2 are now filtered and controlled by Azure Firewall. Let’s verify.