Azure VM Routing Question

popeyesailzzz · 2025-06-16T15:03:49.702Z

Hello,

I have more of a generalized question. I currently have a virtual firewall in azure with 3 interfaces on it. I have a vm deployed that is sitting on the vnet with a udr pointing to the inside interface. Connections are working well, traffic is hitting the firewall, no issues. I was informed from the connection diagnostics I could have a potential localudr loop. I understand a vm and firewall on the same vnet pointing to the inside interface could cause a loop from an azure standpoint but, once the traffic hits my firewall the routes on the firewall carry the traffic to another interface then NAT out to the internet. The connection troubleshooter does not see that process of course. I opened a case with Microsoft and was told if things are working this could be ignored. My question is, if I remove the UDR, the default route sends the traffic to the internet.. How am i suppose to have these natively routing without a udr to the firewall? For context, I can’t re-ip the firewall or move the VMs at this time.

Evan7191 · 2025-06-16T15:36:52.409Z

popeyesailzzz:

How am i suppose to have these natively routing without a udr to the firewall?

Do you want to use native routing instead of your firewall?

popeyesailzzz · 2025-06-17T15:03:47.624Z

The idea was to direct the vm traffic to the firewall and from there will break out.

Evan7191 · 2025-06-17T18:09:02.764Z

If you want traffic to go through the firewall, you will need a route to send traffic to the firewall. Because you will use your own firewall, you don’t need to worry about the native routing.

popeyesailzzz · 2025-06-18T14:08:20.111Z

I don’t think you understand, the firewall is in azure, its a vm and one of the inside interfaces resides on the same vnet as my other virtual machines. I have the udr with a default route to send the traffic to the virtual firewall. That is getting flagged because the machines are on the same subnet.

Evan7191 · 2025-06-18T16:25:10.868Z

popeyesailzzz:

I don’t think you understand, the firewall is in azure, its a vm and one of the inside interfaces resides on the same vnet as my other virtual machines. I have the udr with a default route to send the traffic to the virtual firewall.

I did understand that. I used to work at an MSP as a professional services engineer where my main focus was migrating clients’ on-prem servers to Azure, and that is how we set up almost every network in Azure: 3 subnets (public, DMZ, and internal), with a firewall VM that had interfaces in each VNET. We added a route table to send all traffic to the firewall’s interface in the internal subnets, and the firewall would process the traffic through the DMZ and send outbound traffic out the public interface.

I guess I don’t understand what your question is. You have a valid configuration, and it is working. Microsoft’s support said that you can disregard the alert. What’s the problem?

popeyesailzzz · 2025-06-20T15:32:00.085Z

My concern is, it should not be alerting for a local udr loop.I dont want to have any issues down the road.

Evan7191 · 2025-06-20T21:23:25.812Z

As long as your firewall is working properly, you won’t have issues with routing.