Hello, Thanks a lot for your video. I have a question: I have all my VNets associated with the default RTB and propagated to none. Similarly, I have my branches associated with the default RTB and propagated to none. On my default RTB, I have the RFC1918 with the next hop set to the firewall. You mentioned that the flow will work based on the “logic of the platform.” Could you please elaborate on this? I have designed this architecture to ensure that all traffic passes through my firewall. Thanks for your time!
I'm not sure about elaborating on that, I forget what I implied, but I can tell you that the logic you describe will result in all traffic going through the FW.
@@AdamStuart1 Thank you very much for your response. Yes, I confirm that the traffic is passing through the firewall. What bothers me is that it is not possible in this case to access the firewall’s routing table to be sure. (I have already opened several tickets with Azure without success). My model assures me that all traffic passes through the firewall, but I do not have direct access to the routing table. I gain in security but lose in visibility… What a shame! I could propagate both the branches and the VNets into another routing table and not associate it with anyone, but I don’t like making such big changes to my production environment.
@@MrDiaporama Think of it like this. The VNets dont know about anything other than the RFC1918 summary routes, you can seee this in the effective routes of a VM. So they send all traffic to the only nexthop they know, the AZFW. From branches, traffic enters your Hub via the VNG, this behind the scenes us programmed with logic to route all traffic to AZFW, rather than use vnet peering. Of course you can just block/allow traffic in AZFW, or check its logs, to verify its in the dataplane.
the explanation is simple enough but insightful. thanks! this is a lifesaver
Hello,
Thanks a lot for your video. I have a question: I have all my VNets associated with the default RTB and propagated to none. Similarly, I have my branches associated with the default RTB and propagated to none.
On my default RTB, I have the RFC1918 with the next hop set to the firewall. You mentioned that the flow will work based on the “logic of the platform.” Could you please elaborate on this?
I have designed this architecture to ensure that all traffic passes through my firewall.
Thanks for your time!
I'm not sure about elaborating on that, I forget what I implied, but I can tell you that the logic you describe will result in all traffic going through the FW.
@@AdamStuart1 Thank you very much for your response. Yes, I confirm that the traffic is passing through the firewall. What bothers me is that it is not possible in this case to access the firewall’s routing table to be sure. (I have already opened several tickets with Azure without success). My model assures me that all traffic passes through the firewall, but I do not have direct access to the routing table. I gain in security but lose in visibility… What a shame!
I could propagate both the branches and the VNets into another routing table and not associate it with anyone, but I don’t like making such big changes to my production environment.
@@MrDiaporama Think of it like this. The VNets dont know about anything other than the RFC1918 summary routes, you can seee this in the effective routes of a VM. So they send all traffic to the only nexthop they know, the AZFW. From branches, traffic enters your Hub via the VNG, this behind the scenes us programmed with logic to route all traffic to AZFW, rather than use vnet peering. Of course you can just block/allow traffic in AZFW, or check its logs, to verify its in the dataplane.
@@AdamStuart1 Thanks a lot for your time and your answer Adam !
Thank you for the great explanation, it is possible to convert back from Secure-vHub to Non-Secure-vHub if required?
Yes you can remove the Firewall