Hello everyone,
I'm working on a Hub & Spoke network setup where we have around 90 spokes connected to a central hub. The configuration currently uses Azure Firewall for all outbound Internet traffic, mostly with simple FQDN filtering, and in some cases, no filtering at all.
We've decided to enhance our external traffic inspection and introduce URL filtering through ZScaler Cloud Connector VMs. To do this, we plan to create a new subnet in the hub that will house the Load Balancer and ZScaler VMs.
The plan is to set up a new route table directed at ZScaler for the Azure Firewall, but this raises a concern: if I apply this route table, all of the spokes will redirect their Internet traffic to ZScaler, which might not be ideal as I want to test this new setup gradually.
Is there a more efficient way to transition the traffic from Azure Firewall to ZScaler on a per-spoke basis? That way, I can experiment with a small group of spokes before implementing the change across the board.
2 Answers
Instead of changing the default route for all spokes, why not just replicate your current route table but point the default route for certain spokes to your ZScaler IP? You can then associate this new route table with the specific spokes that you want to test, leaving the others unchanged.
You might want to consider setting up a new hub alongside your existing one. That way, you can gradually shift the route table over to the new hub without disrupting all spokes at once. It does require some additional setup, including deploying a new Azure Firewall and re-establishing peer connections, though.
That sounds like a major investment of time and resources. I’d be concerned about the costs since you need to recreate all that infrastructure.
The default route should stay pointing to Azure Firewall. The idea is for Azure Firewall to work with ZScaler upstream, using it only for specific spokes.