Hi there,
I currently have 2 hub and spoke set ups (one for the production environment and one of the DR environments). Both Hubs have Azure Firewalls in them and all traffic from the Prod spokes route via the Prod Hub Azure Firewall and visa versa for the DR environment where the DR spokes route via the DR Hub Azure Firewall. UDRs on the spoke environments are configured to use the Azure firewall as the next hop.
In order to route from the Prod Spoke to the DR spoke environment, I have currently set up the below
A NEW UDR to route 0.0.0.0/0 to the internet and a 2nd route to route DR network traffic (from Prod) via the DR Hub Azure Firewall Subnet as the next hop and associated this to the Prod Hub Firewall Subnet.
And Visa Versa for the DR environment a NEW UDR to route 0.0.0.0/0 to the internet and added a 2nd route to route from DR to Prod via the Prod Azure Firewall as the next hop and associated this to the DR Hub Azure Firewall Subnet.
I have to now make sure that if any VMs in Azure need to reach the internet that they need to be forced to route to the internet via on premises firewalls. Currently in place is the clients older Express Route circuit which terminates at their existing Azure Virtual Network Gateway on a different VNet. I am not sure if it would be a simple case of editing the existing spoke UDR route for 0.0.0.0/0 next hop firewall, and change this to make the next hop to use the Virtual Network Gateway?
any help on this would be fantastic. Thank you