Site to Site VPN Connection Filtered by Azure Firewall

Site to Site VPN Connection Filtered by Azure Firewall

Image: https://petri.com/how-to-architect-an-azure-firewall-with-a-vpn-gateway

Site to Site VPN connection is commonly used in hybrid structure. So in this post, I will show you the key steps for this architecture to work.

I have three Vnets for this lab,

  • Cloud Vnet with VM subnet: 172.16.0.0/24
  • DMZ Hub with FW subnet: 192.168.3.0/24, Gateway subnet: 192.168.1.0/24 and VM subnet: 192.168.0.0/24
  • Local Vnet with VN subnet: 10.0.0.0/24 and Gateway subnet: 10.0.3.0/24

With needed services provisioned such as VMs, FW, VPN Gateway etc, the key points are as below.

Please do pay attention that Cloud Vnet is peered with DMZ Hub.

All traffics from remote/local through S2S VPN to cloud must forward to Azure FW for filtering and controlling, therefore, UDR is configured and apply on DMZ Gateway subnet.

Site to Site VPN Connection Filtered by Azure Firewall
Site to Site VPN Connection Filtered by Azure Firewall

All traffics from cloud to remote/local need to be filtered and controlled by Azure Firewall too, so a UDR is needed and apply on Cloud Vnet VM subnet as well.

Site to Site VPN Connection Filtered by Azure Firewall
Site to Site VPN Connection Filtered by Azure Firewall

Lastly, configure a FW rule to verify the connection. I setup a one way connection which only allow local to cloud only.

Site to Site VPN Connection Filtered by Azure Firewall
Site to Site VPN Connection Filtered by Azure Firewall

https://petri.com/how-to-architect-an-azure-firewall-with-a-vpn-gateway

AWS Certified SA, SysOps & Developer Associate, Alibaba Cloud certified SA. Focusing on Azure, Prometheus w/ Grafana, ELK and K8S now.