Azure Firewall & VPN/ExpressRoute UDRs

Question

I have a customer who has an Azure environment in place, and I'm coming in to provide an assessment and guidance on their future Azure architecture. They have a hybrid configuration where their connecting multiple on-premise data centers to an Azure hub network connected via S2S VPN with a third party NVA. I have not seen their environment yet as this is illustrated in some network diagrams we received from them although it looks like they've followed best practices overall.

From a design perspective, they currently have a production and disaster recovery data center whereas in Azure they only have a presence in East US. So I'm going into this engagement with the impression they'll likely want a second presence which I'd suggest West US since that'll be the peered region for East US.

I'm doing some research on how to best approach their networking configuration moving forward. Since the goal is to move most of their workloads to Azure, and I'm assuming they'll need some on-premise network connectivity initially, I'd recommend deploying an ExpressRoute as I'm of the impression the S2S VPN works but I wouldn't bet my job on it from a stability perspective.

My thoughts are, if they aren't doing this already, they should have UDRs setup to route all traffic from hub and spoke VNETs point to NVA or Azure Firewall for inbound and outbound internet connectivity.

My question is what's the best practice when it comes to routing traffic coming from one of their data centers to a virtual machine in Azure? From what I'm reading, ExpressRoute doesn't play nice with providing a 0.0.0.0/0 route to the next hop being an Azure Firewall. My thoughts are any traffic that originates from a machine in Azure goes to the firewall and then the internet. If there's a machine that lives in the datacenter then it should go through whatever network infrastructure is in place and out the firewall there. Ideally, if a machine from on-premises needs to connect to a machine in Azure, the traffic will flow through the firewall and vice versa.

Does anyone have any experience with UDRs, Azure Firewall, and ExpressRoute that they could share in a scenario like this? Thanks!

Answer 1

• First, I would advise you to please consider that Azure routes traffic successfully between subnets within a virtual network, connected virtual networks, on-premises networks, and the internet. Also, implementing a highly available Site-to-Site VPN between on-premises datacenters and Azure is recommended as when deploying a VPN gateway, it consists of two instances in an active-standby configuration.

Since planned maintenance or unplanned disruption to the active instance when happens, failover occurs, and the standby instance takes over automatically. This instance resumes the Site-to-Site or network-to-network connection, and this switchover causes a brief interruption. For planned as well as unplanned maintenance issues, the connection recovery restores between 10 – 15 seconds to 1.5 minutes in the worst case.

• Hence, to get more knowledge about the best practices to implement Expressroute, please refer to the below documentation link that describes the scenarios and solutions that include the correct usage of Express route for connecting between on-premises and Azure resources.

https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/migrate/azure-best-practices/migrate-best-practices-networking#best-practice-implement-expressroute-for-mission-critical-connections

With regards to using Azure Firewall, please consider referring to the below documentation link for optimally using the Azure Firewall as means of filtering the required and needed traffic between the on-premises and Azure environment.

https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/migrate/azure-best-practices/migrate-best-practices-networking#take-advantage-of-azure-security-features-for-networking