Azure Virtual WAN Transit Routing and Proxy
Overview
In the article, we will explore VWAN multiple transit routing scenarios and use Azure firewall as proxy.
- Between ExpressRoute and site to site VPN
- VNet-to-VNet transit routing through virtual hub
- Filter traffic outbound to Internet
Azure Virtual WAN
Azure Virtual WAN is a networking service that brings many networking, security, and routing functionalities together to provide a single operational interface. These functionalities include branch connectivity (via connectivity automation from Virtual WAN Partner devices such as SD-WAN or VPN CPE), Site-to-site VPN connectivity, remote user VPN (Point-to-site) connectivity, private (ExpressRoute) connectivity, intra-cloud connectivity (transitive connectivity for virtual networks), VPN ExpressRoute inter-connectivity, routing, Azure Firewall, and encryption for private connectivity.
System Diagram for Lab Environment
Notes:For number 5 branch, we use virtual network gateway and VNet to simulate on premises workload.For number 3 & 4, we have UDR to overwrite default route which is propagated from secured virtual VWAN
Configurations
VWAN VNet Connections
This is for number 1 &2 from system diagram.
If you are in any to any routing scenario, simply select options to associate default route table to the VNet connection and propagate route to the default route table.
Also virtual hub can connect to VNets in multiple regions.
VWAN ExpressRoute Gateway
Virtual WAN ExpressRoute gateway can be scaled up after creation.
In order to make the default route available for ExpressRoute branches, we turn on default route propagation flag. This flag allows Virtual Hub to propagate a learnt default route to this connection. This flag enables default route propagation to a connection only if the default route is already learned by the Virtual WAN hub as a result of deploying a firewall in the hub or if another connected site has forced tunneling enabled. The default route does not originate in the Virtual WAN hub.
Enable Secured VWAN
When convert VWAN virtual hub to secured hub, Azure firewall resource is actually created. VWAN virtual hub shows up in Azure firewall manager.
The firewall rules for secured VWAN is managed via Azure firewall manager policy. You could add rule collection and rule through Azure firewall manager. The rules are applied to the virtual hub listed in Azure firewall manager.
VWAN Site to Site VPN
Branch to Branch Connectivity
Branch to branch connectivity is supported by default, virtual WAN configuration shows that branch-to-branch flag is enabled by default.
Virtual Network Gateway (site to site VPN type)
From your branch workload Azure resource group, create VGW.
VWAN VPN Site and Link
From WWAN virtual hub blade, select VPN(site to site) connectivity tab, add VPN site to represent your VPN branch to VWAN.
Grab the IP addresses and other information from prior step.
Also download VPN Config from virtual WAN, the information is needed to configure your VPN.
Local network gateway
From your branch workload Azure resource group, create local network gateway.
From prior step when create site to site VPN from VWAN, you grabbed tunnel IP address, list of IP address that you need to connect from your VPN, ASN and BGP IP address.
List of IP address that you need to connect from your VPN include Hub VNet , Hub peered spoke VNet, ExpressRoute connected data center, VWAN IP range and VWAN connected spoke VNet IP ranges.
(Note: in next step if VPN connection has BGP enabled, you wouldn’t need to input this IP list, address prefixes can be learned from VPN connection)
VPN Gateway Connection
From your branch workload Azure resource group, VPN gateway blade, add connection, select site-to-site VPN type, select local network gateway created from prior step.
Check Effective Routes
Effective routes of VMs in VWAN connected spoke VNets.
There is a default route to VWAN Azure firewall, so the outbound to Internet is inspected and we use Azure firewall manager policy to whitelist public sites.
Effective routes of VMs in ExpressRoute connected Hub VNet and spoke VNet. Default route to VWAN Azure firewall is present as well, but status is invalid, it is overwritten by default route from UDR.
Effective routes of VM in your VPN branch.
Conclusion
Since the routes are available, connectivity is present between all VNets and all branches, outbound to Internet is also possible through Azure firewall. To secure the traffic, apply appropriate firewall rules to Azure firewall and network security groups.
Appendix
VWAN Monitoring
- Enable Azure firewall diagnostic log for secured virtual hub.
- Optionally send VWAN ExpressRoute gateway metrics to multiple destinations
References
https://docs.microsoft.com/en-us/azure/virtual-wan/scenario-any-to-any
https://docs.microsoft.com/en-us/azure/virtual-wan/about-virtual-hub-routing#association
Azure Firewall forced tunneling | Microsoft Docs (Force Tunneling requires this vnet have a subnet named AzureFirewallManagementSubnet)
How to configure Virtual WAN Hub routing policies — Azure Virtual WAN | Microsoft Docs (VWAN policy intent)
