I'm new to Azure Cloud and still getting the hang of the basics. I want to ensure I understand how to route traffic from my on-premises network to virtual machines (VMs) that are running in Azure, particularly when using a Palo Alto or Cisco firewall that's established a tunnel for this traffic. For instance, can someone clarify what the next hop IP address should be to reach the internal cloud VMs? How do VMs across different virtual networks within Azure communicate with the firewall that connects to my on-prem network? Let's say my firewall's internal interface is set to 10.0.0.1/24, and I have an Azure service like a load balancer at 172.16.1.10/24. What's the route I should configure to connect it all? Is there something in Azure I should point to in order to connect to the 10.0.0.0/24 subnet, or do I need to set up additional interfaces like in traditional networks with firewalls, routers, and switches?
2 Answers
You'll need an Azure route table to direct traffic to your firewall. Create the route table and establish routes that lead to the firewall's IP address; this could also apply if you're using a load balancer positioned in front of multiple firewalls. After that, just associate the route table with the relevant subnets.
To ensure that your Azure resources can reach your on-prem resources, you'll need to create a User Defined Route (UDR) in Azure. Set it up on a route table by specifying your on-premises IP range, like 172.16.1.0/24, and configure the next hop to the private IP of your Palo Alto firewall in Azure. Essentially, you're telling Azure, "If you're trying to access anything on the 172.16.1.0/24 range, go through the Palo Alto firewall first." Don't forget to apply this route table to any subnet that requires access. If your VMs are in different virtual networks (VNets) from your Palo, you will have to peer those VNets too. It's also a good idea to follow a hub-and-spoke model where your Palo VNet acts as the hub.
Thanks for clarifying! Is there a separate route table for each VM host, or can there be just one main route table for the whole Azure setup? If I decide to utilize a load balancer, would those route tables point towards the LB? Also, does the firewall need to point to the load balancer's IP to reach the hosts? How does the internal interface of the firewall fit in, does it need to be on the same subnet as the LB IP?