Advertisement
So having a bit of a conundrum here with Azure Firewall and vWAN Hub. I can’t find good information on weither a firewall deployed in the vWAN hub can also still perform DNAT or not, and asking Microsoft via a support engagement lends a “not sure, don’t know about vWAN Hub”.<\/p>\n
So, anyone have experience with a vWAN Hub and a firewall in it can help? I’m honestly not far from jsut getting rid of the damned thing and putting my SD-WAN NVA’s in a Hub vNET instead of messing with the vWAN Hub, but this is a hail mary thing.<\/p>","upvoteCount":2,"answerCount":5,"datePublished":"2024-07-31T20:27:02.089Z","author":{"@type":"Person","name":"Jody4575","url":"https://community.spiceworks.com/u/Jody4575"},"suggestedAnswer":[{"@type":"Answer","text":"
So having a bit of a conundrum here with Azure Firewall and vWAN Hub. I can’t find good information on weither a firewall deployed in the vWAN hub can also still perform DNAT or not, and asking Microsoft via a support engagement lends a “not sure, don’t know about vWAN Hub”.<\/p>\n
So, anyone have experience with a vWAN Hub and a firewall in it can help? I’m honestly not far from jsut getting rid of the damned thing and putting my SD-WAN NVA’s in a Hub vNET instead of messing with the vWAN Hub, but this is a hail mary thing.<\/p>","upvoteCount":2,"datePublished":"2024-07-31T20:27:02.230Z","url":"https://community.spiceworks.com/t/azure-firewall-in-vwan-hub/1101400/1","author":{"@type":"Person","name":"Jody4575","url":"https://community.spiceworks.com/u/Jody4575"}},{"@type":"Answer","text":"
yeah this can be super annoying to deal with, especially with things like DNAT. So normally, Azure firewall support DNAT and enables you to translate and filter incoming Internet traffic to your services hosted privately within Azure, but integrating it with a vWAN Hub is by no means straightforward. In a vWAN hub, the firewall is usually set to handle interconnectivity and security (filtering, inspection). Typically, the DNAT operation would occur before traffic hits the vWAN Hub, often at the edge or gateway where connections first ingress into Azure. This is what makes it so tough i guess and there is very little out there on makin it work.<\/p>\n
If I’m honest, using SD-WAN NVAs in a Hub VNet could give you more direct control over network configurations, including DNAT, making it easier to integrate with other network functions.<\/p>","upvoteCount":0,"datePublished":"2024-08-01T14:40:29.357Z","url":"https://community.spiceworks.com/t/azure-firewall-in-vwan-hub/1101400/2","author":{"@type":"Person","name":"stefan-pulseway","url":"https://community.spiceworks.com/u/stefan-pulseway"}},{"@type":"Answer","text":"
The issue I’m facing with the NVA’s is they are VMware VeloCloud SD-WAN devices that do not register as “Next Gen Firewalls” and don’t hook into the Routing Intent feature.
\nI think I may have found a work-around by creating a UDR that sets 0.0.0.0/0 to Internet service tag and applying that UDR directly to the AzureFirewallSubnet in the Hub vNET. This appears to work exactly as we want, the concern is weither this is actually supported or will go away soon.<\/p>","upvoteCount":0,"datePublished":"2024-08-01T15:23:10.826Z","url":"https://community.spiceworks.com/t/azure-firewall-in-vwan-hub/1101400/3","author":{"@type":"Person","name":"Jody4575","url":"https://community.spiceworks.com/u/Jody4575"}},{"@type":"Answer","text":"
One thing I think I failed to mention is that because we use Zscaler, we have to have all Internet traffic go through Zscaler, which requires the traffic to go out the NVA’s in the vWAN Hub. This obviously breaks Azure Firewall because it needs its default route to be that Internet Service Tag.<\/p>","upvoteCount":0,"datePublished":"2024-08-01T15:34:40.679Z","url":"https://community.spiceworks.com/t/azure-firewall-in-vwan-hub/1101400/4","author":{"@type":"Person","name":"Jody4575","url":"https://community.spiceworks.com/u/Jody4575"}},{"@type":"Answer","text":"
I think splitting the firewall functions into two different one’s is the best way. So the DNAT functionality could go into a firewall in the DMZ specific vNET and then have the traffic management happen in a secure hub.<\/p>","upvoteCount":0,"datePublished":"2024-08-01T16:11:00.619Z","url":"https://community.spiceworks.com/t/azure-firewall-in-vwan-hub/1101400/5","author":{"@type":"Person","name":"Jody4575","url":"https://community.spiceworks.com/u/Jody4575"}}]}}