Hello,

I have more of a generalized question. I currently have a virtual firewall in azure with 3 interfaces on it. I have a vm deployed that is sitting on the vnet with a udr pointing to the inside interface. Connections are working well, traffic is hitting the firewall, no issues. I was informed from the connection diagnostics I could have a potential localudr loop. I understand a vm and firewall on the same vnet pointing to the inside interface could cause a loop from an azure standpoint but, once the traffic hits my firewall the routes on the firewall carry the traffic to another interface then NAT out to the internet. The connection troubleshooter does not see that process of course. I opened a case with Microsoft and was told if things are working this could be ignored. My question is, if I remove the UDR, the default route sends the traffic to the internet.. How am i suppose to have these natively routing without a udr to the firewall? For context, I can’t re-ip the firewall or move the VMs at this time.

5 Spice ups

Do you want to use native routing instead of your firewall?

2 Spice ups

The idea was to direct the vm traffic to the firewall and from there will break out.

If you want traffic to go through the firewall, you will need a route to send traffic to the firewall. Because you will use your own firewall, you don’t need to worry about the native routing.

I don’t think you understand, the firewall is in azure, its a vm and one of the inside interfaces resides on the same vnet as my other virtual machines. I have the udr with a default route to send the traffic to the virtual firewall. That is getting flagged because the machines are on the same subnet.

I did understand that. I used to work at an MSP as a professional services engineer where my main focus was migrating clients’ on-prem servers to Azure, and that is how we set up almost every network in Azure: 3 subnets (public, DMZ, and internal), with a firewall VM that had interfaces in each VNET. We added a route table to send all traffic to the firewall’s interface in the internal subnets, and the firewall would process the traffic through the DMZ and send outbound traffic out the public interface.

I guess I don’t understand what your question is. You have a valid configuration, and it is working. Microsoft’s support said that you can disregard the alert. What’s the problem?

My concern is, it should not be alerting for a local udr loop.I dont want to have any issues down the road.

As long as your firewall is working properly, you won’t have issues with routing.

1 Spice up