Azure Firewall – Hub/Spoke Hybrid Network with Forced Tunnelling

Update – I spoke to Microsoft and they agreed and have updated the documentation to highlight this scenario.

The Azure Firewall is a great option if you want to have a centralised firewall device within your Azure network architecture. I followed the Microsoft documentation to integrate the Azure Firewall into a Hybrid Network consisting of an on-premises network, a centralised Azure Hub Network and an Azure Spoke VNet. However, I was getting connectivity issues to the Azure KMS and the reason was not immediately clear.

You can read that documentation at the following link,
It’s quite a detailed step by step tutorial, and it does a great job of helping you set up an Azure FW in this scenario. However, as mentioned when I set everything up and tested activating an Azure VM to the Azure KMS the connection would fail. I checked all the UDRs created on the GatewaySubnet and Spoke Subnets to route through the Azure FW.

1 – Image supplied –

I was able to confirm that on-premises traffic was routing through the Azure FW, and I created a rule on the firewall to allow the Azure KMS, I even enabled logging on the Azure Firewall and could see that the traffic was being allowed by the Azure FW but I still could not activate my VMs.

It turns out that when you are considering the Azure FW within your network architecture you need to decide on its use case as an internet gateway for inbound and outbound traffic. Do you want the Azure FW to be the centralised egress point that Azure VMs can use to reach the internet? If yes, then you need to consider how your hybrid network connectivity to on-premises is configured. Turns out that that ExpressRoute was enabled for Forced Tunnelling, so a Default Route is being advertised by BGP to the Hub Network where the Azure FW is located.

What this means is that the Azure FW will route all traffic back on-premises as well, unless you create a more specific UDR and assign it to the AzureFirewallSubnet. Now in my case, for this network architecture we certainly wanted to use the Azure FW as the centralised internet GW for Azure VMs so we defined the UDR with a route, ( – Next Hop Type – Internet) and assigned it to the AzureFirewallSubnet.

After doing this, the Azure FW is enabled as our Internet Gateway, and the Azure KMS activation succeeds.

The missing step in the documentation is that it assumes that Forced Tunnelling is not enabled, and by default the Azure FW would have a default route to Internet through Azure’s network. However, if Forced Tunnelling is enabled in your ExpressRoute or through UDRs in a VPN configuration you will need to define a UDR and assign it to your AzureFirewallSubnet. Obviously, only do this if your goal is to use the Azure FW as the egress point for your internet in Azure, if you still want to continue to force all traffic on premises and just have the Azure FW as another firewall to secure your spoke VNets then leave your Forced Tunnelling configuration as is.