You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/firewall/firewall-multi-hub-spoke.md
+11-12Lines changed: 11 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,45 +5,44 @@ services: firewall
5
5
author: duongau
6
6
ms.service: azure-firewall
7
7
ms.topic: concept-article
8
-
ms.date: 05/30/2023
8
+
ms.date: 03/17/2025
9
9
ms.author: maroja
10
10
---
11
11
12
12
# Use Azure Firewall to route a multi hub and spoke topology
13
13
14
-
The hub and spoke topology is a common network architecture pattern in Azure. The hub is a virtual network (VNet) in Azure that acts as a central point of connectivity to your on-premises network. The spokes are VNets that peer with the hub, and can be used to isolate workloads. The hub can be used to isolate and secure traffic between spokes. The hub can also be used to route traffic between spokes. The hub can be used to route traffic between spokes using various methods.
14
+
The hub and spoke topology is a common network architecture pattern in Azure. In this setup, the hub is a virtual network (VNet) that serves as a central point of connectivity to your on-premises network. The spokes are VNets that peer with the hub and can be used to isolate workloads. The hub can secure and route traffic between spokesusing various methods.
15
15
16
-
For example, you can use Azure Route Server with dynamic routing and network virtual appliances (NVAs) to route traffic between spokes. This can be a fairly complex deployment. A less complex method uses Azure Firewall and static routes to route traffic between spokes.
16
+
For instance, you can use Azure Route Server with dynamic routing and network virtual appliances (NVAs) to route traffic between spokes, though this can be complex. A simpler method involves using Azure Firewall and static routes.
17
17
18
-
This article shows you how you can use Azure Firewall with static userdefined routes (UDRs) to route a multi hub and spoke topology. The following diagram shows the topology:
18
+
This article demonstrates how to use Azure Firewall with static user-defined routes (UDRs) to route traffic in a multi hub and spoke topology. The following diagram illustrates the topology:
Azure Firewall secures and inspects network traffic, but it also routes traffic between VNets. It's a managed resource that automatically creates [system routes](../virtual-network/virtual-networks-udr-overview.md#system-routes) to the local spokes, hub, and the on-premises prefixes learned by its local Virtual Network Gateway. Placing an NVA on the hub and querying the effective routes would result in a route table that resembles what is found within the Azure Firewall.
24
+
Azure Firewall not only secures and inspects network traffic but also routes traffic between VNets. Itautomatically creates [system routes](../virtual-network/virtual-networks-udr-overview.md#system-routes) to local spokes, the hub, and on-premises prefixes learned by its local Virtual Network Gateway. Placing an NVA on the hub and querying the effective routes would show a route table similar to that within Azure Firewall.
26
25
27
-
Since this is a static routing architecture, the shortest path to another hub can be done by using global VNet peering between the hubs. So the hubs know about each other, and each local firewall contains the route table of each directly connected hub. However, the local hubs only know about their local spokes. Additionally, these hubs can be in the same region or a different region.
26
+
In this static routing architecture, the shortest path to another hub is achieved using global VNet peering between hubs. Each hub knows about the other hubs, and each local firewall contains the route table of each directly connected hub. However, local hubs only know about their local spokes. These hubs can be in the same or different regions.
28
27
29
28
## Routing on the firewall subnet
30
29
31
-
Each local firewall needs to know how to reach the other remote spokes, so you must create UDRs in the firewall subnets. To do this, you first need to create a default route of any type, which then allows you to create more specific routes to the other spokes. For example, the following screenshots show the route table for the two hub VNets:
30
+
Each local firewall needs to know how to reach remote spokes, so you must create UDRs in the firewall subnets. Start by creating a default route, then add more specific routes to the other spokes. The following screenshots show the route tables for the two hub VNets:
32
31
33
32
> [!NOTE]
34
-
> The address prefix in the hub virtual route table should encompass the two spoke virtual network address spaces.
33
+
> The address prefix in the hub virtual route table should encompass the address spaces of the two spoke virtual networks.
35
34
36
35
**Hub-01 route table**
37
36
:::image type="content" source="media/firewall-multi-hub-spoke/hub-01-route-table.png" alt-text="Screenshot showing the route table for Hub-01.":::
38
37
39
38
**Hub-02 route table**
40
-
:::image type="content" source="media/firewall-multi-hub-spoke/hub-02-route-table.png" alt-text="Screenshot showing the route table for Hub-02.":::
39
+
:::image type="content" source="media/firewall-multi-hub-spoke/hub-02-route-table.png" alt-text="Screenshot showing the route table for Hub-02.":::
41
40
42
41
## Routing on the spoke subnets
43
42
44
-
The benefit of implementing this topology is that with traffic going from one hub to another, you can reach the next hop that is directly connected via the global peering.
43
+
This topology allows traffic to move from one hub to another, reaching the next hop directly connected via global peering.
45
44
46
-
As illustrated in the diagram, it's better to place a UDR in the spoke subnets that have a 0/0 route (default gateway) with the local firewall as the next hop. This locks in the single next hop exit point as the local firewall. It also reduces the risk of asymmetric routing if it learns more specific prefixes from your on-premises environment that might cause the traffic to bypass the firewall. For more information, see [Don’t let your Azure Routes bite you](https://blog.cloudtrooper.net/2020/11/28/dont-let-your-azure-routes-bite-you/).
45
+
As shown in the diagram, it's best to place a UDR in the spoke subnets with a 0/0 route (default gateway) pointing to the local firewall as the next hop. This ensures a single exit point through the local firewall and reduces the risk of asymmetric routing if more specific prefixes from your on-premises environment cause traffic to bypass the firewall. For more information, see [Don’t let your Azure Routes bite you](https://blog.cloudtrooper.net/2020/11/28/dont-let-your-azure-routes-bite-you/).
47
46
48
47
Here's an example route table for the spoke subnets connected to Hub-01:
0 commit comments