Azure UDR Tips: Securing Azure Firewall's Direct Internet Access Amidst BGP Routes

This is true story about an 8 hour downtime incident caused by not writing a UDR.

TL;DR

Azure Firewall MUST have direct Internet connectivity. If your AzureFirewallSubnet learns a default route to your on-premises network via BGP, you must override this with a 0.0.0.0/0 UDR with the NextHopType value set as Internet to maintain direct Internet connectivity.

Azure Firewall FAQ

FAQ for Azure Firewall. A managed, cloud-based network security service that protects your Azure Virtual Network resources.

Microsoft Learnduongau

Apple Podcast

First try

How Azure selects a route

If multiple routes container the same address prefix (e.g. 0.0.0.0/0) Azure seletecs the route type based on the following priority:

1. User-defined route (UDR)
2. BGP route
3. System default route

By default, if no configuration is performed, the System default route will handle the 0.0.0.0/0 NH Internet configuration. This is also one of the reasons why SNAT/DNAT can be set up to connect to Internet.

Default Route Table

Propagate gateway routes: Yes

Incident: Azure Firewall Control Plane Degraded

If you perform BGP propagates 0.0.0.0/0 from Virtual Network Gateway, due to the higher priority of UDR and BGP routes compared to System default routes, improper configuration may cause abnormalities in Azure Firewall Control Plane.

Incorrect Route Table

Propagate gateway routes: Yes

Because Azure Firewall MUST have direct Internet connectivity, you should make sure the next hop type is Internet

Fixed: Set up UDR for AzureFirewallSubnet

At this point, we need to utiliza the fact that UDR's riority is the highest to set up a 0.0.0.0/0 NH Internet to ensure that the AzureFirewallSubnet is directly connected to the Internet and is not affected by BGP propagation.

Correct Route Table

Propagate gateway routes: Yes