Site to Site VPN Connection Filtered by Azure Firewall


Site to Site VPN connection is commonly used in hybrid structure. So in this post, I will show you the key steps for this architecture to work.

I have three Vnets for this lab,

  • Cloud Vnet with VM subnet:
  • DMZ Hub with FW subnet:, Gateway subnet: and VM subnet:
  • Local Vnet with VN subnet: and Gateway subnet:

With needed services provisioned such as VMs, FW, VPN Gateway etc, the key points are as below.

Please do pay attention that Cloud Vnet is peered with DMZ Hub.


All traffics from remote/local through S2S VPN to cloud must forward to Azure FW for filtering and controlling, therefore, UDR is configured and apply on DMZ Gateway subnet.

Cloud Vnet

All traffics from cloud to remote/local need to be filtered and controlled by Azure Firewall too, so a UDR is needed and apply on Cloud Vnet VM subnet as well.

Azure FW Rules

Lastly, configure a FW rule to verify the connection. I setup a one way connection which only allow local to cloud only.




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


AWS Certified SA, SysOps & Developer Associate, Alibaba Cloud certified SA. Focusing on Azure, Prometheus w/ Grafana, ELK and K8S now.