Disclaimer: This post is for saving you some trouble, not a how-to.
To create a secure (and compliant) hybrid cloud infrastructure, enterprises often extend their network infrastructure to the cloud. This is often done by installing a firewall appliance in a Virtual Network (vnet) and route all traffic through that appliance. You can read all about it here.
To route all your traffic through your appliance in public Azure you’ll use a User Defined Route (UDR) rule that looks like:
0.0.0.0/0 – – > IP of the firewall appliance
Unfortunately, as for today, this is not working on a vnet on Azure Stack version 1811. I expect this will be resolved in a future release. We will contact the PG at Microsoft to hear what they think.
BUT, there is a workaround to make it work. When we searched the interwebs for a solution it was mentioned somewhere (sorry, I can’t remember where) that the 0/0 subnet is too big… Lucky to have some creative network engineers on the team, shout-out to Ørnulf and Stefan, who said “Let’s divide 0/0 in two then…”.
We removed the 0.0.0.0/0 rule and added the following rules:
0.0.0.0/1 –> IP of the firewall appliance
128.0.0.0/1 –> IP of the firewall appliance
We were happy to find out it worked! All traffic was routed through the appliance. One must love binary, right?
![](https://azurestack.blog/wp-content/uploads/2019/03/udrtracert1.png)
You can see the first hop is using the .1 address of the vnet, hop 2 and 3 are the firewalls the traffic is routed through and the rest is on the digital highway. I removed some IP-addresses for security reasons.
I hope this post can help you save some time. Let me know if you have any feedback.