Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
580 questions
Azure firewall migration from third party firewall
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 46%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
prasantc
836
Reputation points
I am planning to migrate from a third party firewall to Azure firewall. Without much downtime
- Currently, all UDR points to third party firewall appliance hosted in Azure
- I have setup a firewall and empty policy in Azure
- I am will be importing rules from CSV
- Once the policy is ready, I will secure the hub using existing policy and deploy the new firewall created by secured hub. Repurpose the public IP of old AZ firewall to the new firewall deployed from hub and delete old firewall.
- Enable routing intent on the secured hub
- peered one of the test subscription and test subscription vvnets to VWAN.
- Test all traffic from test subscription.
- Start peering other subscription to VWAN.
Only thing I am worried about is step 5. Which will enable all default summary route of all RFC1918 IP address for both internet and internal traffic pointed Azure firewall. With this setup would it be possible only to peer test subscription for initial test and route all remaining subscription UDR traffic to third party firewall?
{count} votes
-
GitaraniSharma-MSFT 48,011 Reputation points Microsoft Employee2024-05-07T06:47:11.6266667+00:00 Hello @prasantc ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
Could you please share your network diagram for more clarity on your existing setup?
Regards,
Gita
-
prasantc 836 Reputation points
2024-05-07T07:15:57.3333333+00:00 single vwan and single hub.
vnet are not peered with the vwan at the moment
all vnet except for core vnet has UDR to firewall appliance soon to be decommissioned
-
prasantc 836 Reputation points
2024-05-08T07:09:49.0833333+00:00 -
GitaraniSharma-MSFT 48,011 Reputation points Microsoft Employee
2024-05-08T07:39:48.25+00:00 @prasantc , adding below your comments from the new post that you created (which was marked as duplicate):
https://learn.microsoft.com/en-us/answers/questions/1664059/vwan-routing-intent
I am in the process of securing vwan - hub with azure firewall and enabling routing intent for internet facing and private network through Azure firewall.I have about 8 subscription that will eventually be connected to secured hub azure firewall.
Currently, all subscription traffic goes through UDR and third party firewall appliance without centralizes vwan hub security.
As I start securing traffic with Azure firewall. my plan it to connect each subscription at a time and test all new policies for traffic works fine before peering other subscriptions.
But enabling route intent summarizes all RFC1918 traffic through vwan and Azure firewall. Therefore, I am sceptic if it would allow be test one subscription at a time or change the route for all the subscriptions immediately?
-
GitaraniSharma-MSFT 48,011 Reputation points Microsoft Employee
2024-05-08T07:44:50.6333333+00:00 @prasantc , Apologies for the delay in response as I was checking internally regarding your question.
With this setup would it be possible only to peer test subscription for initial test and route all remaining subscription UDR traffic to third party firewall?
You can peer two vWAN spokes together to provide direct access. The direct access will take precedence over any routes vWAN plumbs to the spoke. You can direct traffic to the NVA in a spoke over the direct peering using UDR, assuming that UDR is at least a LPM (Longest Prefix Match) match with system/vwan routes, if not more specific.
But to get a confirmation, I've reached out to the Azure Virtual WAN PG. I will keep you posted on the updates.
Regards,
Gita
-
GitaraniSharma-MSFT 48,011 Reputation points Microsoft Employee
2024-05-08T10:04:08.2233333+00:00 @prasantc , I've a quick question on your migration setup.
When you say that "I am in the process of securing vwan - hub with azure firewall", are you creating a new secured vhub or upgrade your existing hub to secure vhub? Meaning will it be a single hub or multi-hub deployment?
Also, the diagram you shared doesn't show the 3rd party NVA. Where is it deployed? Is it in the hub?
-
prasantc 836 Reputation points
2024-05-08T16:41:20.18+00:00 currently, virtual WAN is not secured with the Azure firewall. Only the core subscription is by default linked to non secured vhub. As soon as I link the policy it will deploy new Azure firewall linked with the policy and secured the hub.
After that I will first peer the test subscription. It will allow me the check the connection between test subscription and core subscription resource and internet and on prem. I may have to keep firewall rule allow all on east to west initially that way no services received from core subscription gets blocked by firewall.
Remaining services outbound will continue for flow from old third party firewall appliance based on UDR as they wont be peered yet to the vwan. But I do not know how the traffic shaping happens inbound whey those subscriptions need to receive traffic, as UDR does not control it while routing intent all route summarized through vWAN which includes vHub route intent all private IP summarization
-
GitaraniSharma-MSFT 48,011 Reputation points Microsoft Employee
2024-05-09T10:27:33.9533333+00:00 @prasantc , I discussed this with the Azure Virtual WAN Product Group team and below is their response:
Please refer Azure virtual network traffic routing | Microsoft Learn for how Azure makes routing decisions. Please note that the routes that Virtual WAN advertises to spoke VNETs are considered as type "BGP route", which is the second on the preference list assuming LPM (Longest Prefix Match) for two routes are the same.
You should use these VNET route preference guidelines to decide the best path forwards. Your assessment that we advertise RFC1918 to all VNETs connected to routing intent hubs is correct.
Regards,
Gita
-
GitaraniSharma-MSFT 48,011 Reputation points Microsoft Employee
2024-05-14T05:18:55.2966667+00:00 @prasantc , could you please provide an update on this post? If you have any further questions or encountering additional issues, please let me know.
Sign in to comment