Enable Inter-Hub traffic Azure Virtual WAN through Azure Firewall (Manual)
Since Azure WAN came out I’ve configured multiple Azure Virtual WAN environments. But since september 2023 it is now possible to automatically assign firewall routes to all your VPN tunnels. By default traffic from 1 VPN tunnel to another VPN tunnel will bypass the firewall. With this new Inter-hub option you can force VPN traffic to always be routed to the Azure Firewall. So lets set it up.
Before we continue, please keep in mind the following considerations:
- Make sure to have proper firewall rules in place to keep the traffic flowing for VPN to VPN traffic.
- You cannot have custom/static routes in your Azure WAN. Use custom route tables instead where really necessary.
- Make sure that Firewall diagnostic settings have been configured to monitor denied traffic using Log Analytics Workspace.
- During the change, VPN traffic might get interrupted multiple times for a few seconds.
For this manual I’ve created a test environment with 2 virtual WAN’s in 2 different subscriptions and a default Azure VPN Gateway in a third subscription. In your Virtual WAN go Hubs, and click on your Hub. In my case demo
From the Hub go to Azure Firewall and Firewall manager, click again on your Hub name.
From the new blade go to security Configuration
From the drop down menu at Inter-Hub select Enabled
When ready, click on Save. Please keep in mind that custom/static routes will be removed. Make sure to use custom route tables instead on networks where absolutely necessary.
When I performed the change I lost 2 ping’s over my VPN connections (activation takes around 10-15 minutes), which might be normal behavior for VPN traffic
After the change has been implemented, you can now review your Firewall log to verify traffic is passing your Azure Firewall.
More information on the Microsoft website:
How to configure Virtual WAN Hub routing policies – Azure Virtual WAN | Microsoft Learn