Hi there,
I've been tasked with setting up a new environment in an existing Azure Tenant that currently has their on premises traffic routing to Azure using Express Route (ER). The Azure Virtual Gateway (VGW) terminates the ER on premises traffic at the Old-Hub1 VNet.
Task1, to create a new Hub and Spoke VNet topology and deploy Azure Firewall in the new Hub and all traffic from the spokes are to use the Azure Firewall as the next hop. I have done this successfully!
Task2, to route on premises Express Route (ER) traffic from the VGW to take its next hop to the Azure Firewall in the new Hub VNet in order to reach any of the new spoke VNets and visa versa to allow Azure firewall traffic to be able to route back on premises
via the VGW.
My thoughts are that as long as the VGW subnet is associated with a configured UDR to force the Express Route (On premises) traffic to use the Azure Firewall in the Azure Firewall in the HUB VNet as the next hop to get to the new VNet environment this would work as the Azure firewall will know how to get to these VNets?
And to get from the Spoke (via the Hub Azure Firewall) to on premises , I would need to associate a UDR for the new Azure Firewall Hub VNet) to use the VGW as the next hop in order to get back on premises.
Please assume that the peering between the Azure Firewall Hub VNet and the VGW are in place, and the VGW has the gateway transit settings configured, and the Azure Firewall Hub VNet has the Remote Gateways setting configured and that the UDRs settings to allow gateway route propagation will be disabled.
My question is around the concern that the VGW and Firewall are in different VNets? Typically I am use to seeing these resources in the same VNet but different subnets. And my second question of concern is that the UDR will configured NOT to advertise this route, so that will mean that the Express Routes Routing Table will not pick this up using BGP.
Any help on the 2 above questions of concerns would be appreciated. Thank you.