Azure Stack User Defined Routes: and your firewall appliance

Disclaimer: This post is for saving you some trouble, not a how-to.

To create a secure (and compliant) hybrid cloud infrastructure, enterprises often extend their network infrastructure to the cloud. This is often done by installing a firewall appliance in a Virtual Network (vnet) and route all traffic through that appliance. You can read all about it here.

To route all your traffic through your appliance in public Azure you’ll use a User Defined Route (UDR) rule that looks like: – – > IP of the firewall appliance

Unfortunately, as for today, this is not working on a vnet on Azure Stack version 1811. I expect this will be resolved in a future release. We will contact the PG at Microsoft to hear what they think.

BUT, there is a workaround to make it work. When we searched the interwebs for a solution it was mentioned somewhere (sorry, I can’t remember where) that the 0/0 subnet is too big… Lucky to have some creative network engineers on the team, shout-out to Ørnulf and Stefan, who said “Let’s divide 0/0 in two then…”.

We removed the rule and added the following rules: –> IP of the firewall appliance –> IP of the firewall appliance

We were happy to find out it worked! All traffic was routed through the appliance. One must love binary, right?

trace route after adjusting the UDR table.

You can see the first hop is using the .1 address of the vnet, hop 2 and 3 are the firewalls the traffic is routed through and the rest is on the digital highway. I removed some IP-addresses for security reasons.

I hope this post can help you save some time. Let me know if you have any feedback.

Spread the word. Share this post!