0

I'm trying to create hub-spoke network, with a firewall in the hub VNET. I hope all the traffic from spoke VNET to internet should go to the firewall. I know I can create route tables and attach them to the subnets in the spoke VNET, and create a route rule on each of the route tables to direct 0.0.0.0/0 to the firewall appliance. But I remember in my previous organization, there wasn't route table attached to the subnets in the spoke VNET.

I don't want to manage so many route tables if it is possible. Can anyone help give me a hint how can I set the default route without route table in Azure?

Dongkai Yu
  • 89
  • 3
  • 10
  • According to my experience, a hub-spoke network can only be created using 2 methods: the "use remote gateway" setting in the peering setup or by using a route table with the next hop virtual appliance pointing to the firewall. When using a firewall the route table should be used. – Philip May 20 '23 at 08:42
  • @Philip, I was able to peer the VNET with `using remote gateway`. It can only be enabled when there is a Virtual Network Gateway configured in the remote VNET. But the Virtual Network Gateway is actually for VPN, while what I need is for the traffic to go to the firewall in the remote VNET. Any idea how to configure it? – Dongkai Yu May 21 '23 at 19:34
  • @Imran, which part of the description is not clear from your perspective? I want to setup a hub-spoke network. The egress is a firewall in the hub VNET. Usually it can be done by a UDRs for each subnet in the SPOKE VNET, with 0.0.0.0/0 next hop to the private IP of the firewall. But I don't want to use UDR in the spoke VNET. Based on my memory, it is possible. But I don't know how to configure it. – Dongkai Yu May 21 '23 at 19:41

1 Answers1

0

According to your scenario, you can make of Azure route server. Route Server offers a centralized point where network virtual appliances (NVAs) can advertise routes that it injects in the spoke VNets.

If you don't want to use user-defined routes(UDR) network virtual appliances advertise network prefixes to the Route Server which injects them so they show up in the effective routes of any vm deployed in the hub VNet or spoke VNets that are peered with the hub VNet with the setting Use the remote virtual network's gateway or Route Server

In portal -> Route server -> make sure your subnet should be RouteServerSubnet minimum of /27 like below:

enter image description here

In route server peers like below:

enter image description here

It has the ability to peer multiple virtual network gateway or virtual appliances with single route instances It must support BGP to peer with a route server. For ex: If you are configuring a route server to appear NVA over BGP and once the route server peered or associate with a virtual appliance route server will automatically detect and update routes in scope. By default, that scope in the same virtual network that route server service itself and you have the option to remotely pairing with other vnet outside of the own vnet.

enter image description here

Make sure while peering vnet select virtual network gateway or route server.

enter image description here

Another thing you can use virtual WAN if you have Virtual WAN, then all Vnets can be associated with a single route table refer

If you don't require UDR, you can move to ARS + NVA setup or Virtual WAN setup if you don't want to move this then unfortunately the only option is to use UDR

To more in detail refer this link below:

What is Azure Route Server? | Microsoft Learn

Default route injection in spoke virtual networks - Azure Route Server | Microsoft Learn

Imran
  • 3,875
  • 2
  • 3
  • 12
  • Hi @Imran. Thanks for the response. It looks like a good suggestion. I tried to look for document about configuring peering between Azure Route Server and Azure Firewall, but only found this one https://learn.microsoft.com/en-us/azure/route-server/tutorial-configure-route-server-with-quagga . Do you have any document link about configuring peering between ARS and Azure Firewall? – Dongkai Yu May 24 '23 at 16:17
  • Hi Imran, I'm not building a hybrid environment. Everything on cloud. What I'm looking for is that the traffic started from Spoke VNET to internet will go through the firewall in the HUB VNet without using UDR in the Spoke VNET. The Azure Route Server looks like a fit, but I couldn't complete it cause I couldn't find a way to peer the Azure Route Server with the Firewall. Is that something you can help? – Dongkai Yu May 24 '23 at 21:12