1

I have created a new instance of an Azure SQL Management instance which also create a default routing table as described within this document.

What our client is trying to achieved is to route all traffic through a CheckPoint firewall so that it can be inspected as shown in the diagram below.

enter image description here

To achieve this we would need to add a new route that overrides the existing routes to force a next hope for all traffic to the firewall load balancer. Something along the lines of the below.

DefaultRoute --> 0.0.0.0/0 --> Firewall Load balancer IP Address

Is this something that is supported and if so am I able to remove all other route table entries without adversely effecting the Managed Instance?

Phil Murray
  • 6,396
  • 9
  • 45
  • 95

1 Answers1

1

From what I can tell when trying to work with a SQL managed instance in a similar scenario, the SQL MI didn't seem to obey changes to it's routing table that I made.

I didn't attempt to remove the public IP routes but rather to point the default route and a route for the VNET address cidr to the CloudGuard gateway so that client traffic from other subnets would pass through the firewall symmetrically.

I would see ack packets from the client cross the gateway but the syn-ack back from the managed instance would never show up according to the route.

Phil Murray
  • 6,396
  • 9
  • 45
  • 95
Jason T
  • 26
  • 1