Image: https://petri.com/how-to-architect-an-azure-firewall-with-a-vpn-gateway
Site to Site VPN connection is commonly used in hybrid structure. So in this post, I will show you the key steps for this architecture to work.
I have three Vnets for this lab,
- Cloud Vnet with VM subnet: 172.16.0.0/24
- DMZ Hub with FW subnet: 192.168.3.0/24, Gateway subnet: 192.168.1.0/24 and VM subnet: 192.168.0.0/24
- Local Vnet with VN subnet: 10.0.0.0/24 and Gateway subnet: 10.0.3.0/24
With needed services provisioned such as VMs, FW, VPN Gateway etc, the key points are as below.
Please do pay attention that Cloud Vnet is peered with DMZ Hub.
DMZ Hub
All traffics from remote/local through S2S VPN to cloud must forward to Azure FW for filtering and controlling, therefore, UDR is configured and apply on DMZ Gateway subnet.
Cloud Vnet
All traffics from cloud to remote/local need to be filtered and controlled by Azure Firewall too, so a UDR is needed and apply on Cloud Vnet VM subnet as well.
Azure FW Rules
Lastly, configure a FW rule to verify the connection. I setup a one way connection which only allow local to cloud only.
Reference:
https://petri.com/how-to-architect-an-azure-firewall-with-a-vpn-gateway
