I'm working with a standard Azure Virtual WAN setup that includes the built-in Azure firewall and connects several spokes to a hub, as well as an on-premises connection via a third-party VPN. Everything's functioning smoothly, but we're facing high costs from traffic passing through the firewall for our Azure SQL database backups using Commvault. Is there a way to route the traffic directly from our on-premises setup to the spokes without going through the Azure firewall, specifically for the Commvault server? I want the traffic direction to be on-premises -> hub -> spoke instead of on-premises -> hub -> firewall -> spoke.
4 Answers
If you decide to go ahead with bypassing the firewall, I'd suggest a 'lock and key' method. You could set up your SQL server to allow public access solely from your company's IP address, perform the backup, then disable public access immediately. This can all be scripted using Azure CLI or PowerShell, and we apply similar practices for data migrations between AWS and Azure.
In my opinion, you should carefully consider the implications of bypassing the firewall without approval from your infosec team. If backing up Azure SQL databases is a priority, have you looked into Azure's built-in backup solutions? They can offer geo-redundant options and might save you both hassle and costs.
There are definitely methods to bypass the Azure firewall, though they usually require express routes. I'm not entirely sure if express routes apply to Virtual WAN setups, but it could be worth checking out the Microsoft documentation on FastPath for ExpressRoute, as it might offer a solution for your scenario.
Unfortunately, if you're using routing intent and policies for private traffic, you can't bypass the Azure firewall. However, if you manage route tables manually, you might have more flexibility. You'd need to ensure the vNet address space is advertised directly to your connections, but keep in mind it would be an all-or-nothing scenario. You would have to exclude all of the vNet and on-premises range from the traffic flow, which involves creating and updating route tables and connection propagation settings to adapt.
Related Questions
How to Build a Custom GPT Journalist That Posts Directly to WordPress
Fix Not Being Able To Add New Categories With Intuitive Category Checklist For Wordpress
Get Real User IP Without Installing Cloudflare Apache Module
How to Get Total Line Count In Visual Studio 2013 Without Addons
Install and Configure PhpMyAdmin on Centos 7
How To Setup PostfixAdmin With Dovecot and Postfix Virtual Mailbox