Virtual Geek

Tales from real IT system administrators world and non-production environment

Microsoft Azure Virtual WAN Part 7 - Configure security configuration | Route traffic to your secured hub | Test connectivity

Microsoft vWAN Azure firewall virtual wan virtual hub virtual network connections vnet subnet virtual machine vm vnet peering hub to hub connectivity powershell template creation routing connectivity check vm virtual machines.png

This is final and last article of vWAN configuration series. In this article I will be configuring Hub Security configuration - Routing on the the Virtual Hub and testing connectivity between Azure Virtual Machines between the different vNETs and across the region. 

Microsoft Azure Virtual WAN Part 1 - Create Virtual Network and subnets
Part 2 Create a Virtual WAN (VWAN) on Azure Portal
Microsoft Azure Virtual WAN Part 3 - Create and convert to secured virtual hub inside VWAN
Microsoft Azure Virtual WAN Part 3.1 - Create secured virtual hub inside Azure Firewall Manager
Microsoft Azure Virtual WAN Part 4 - Add Virtual Network connection | Hub vNet Peering
Microsoft Azure Virtual WAN Part 5 - Create Azure Virtual Machine (VM)
Microsoft Azure Virtual WAN Part 6 - Creating and configuring Azure Firewall Policies
Microsoft Azure Virtual WAN Part 7 - Configure security configuration | Route traffic to your secured hub | Test connectivity

To start configuration, On the Azure Firewall Manager click Virtual Hubs in the Deployments pane. Select the hub you want to configure to use Azure Firewall and check it and click on it.

Microsoft Azure virtual networks virtual hubs firewall manager azure firewall policies security partner providers ddos protection plans preview secure virtual hub resource.png

Related ArticleTerraform for_each loop on resource example

In the Security configuration, Check the virtual network connections created earlier, Internet traffic and Private traffic status are in Unsecured. Configuring virtual hub security updates will apply globally to all connections. 

Internet Traffic: These settings apply to traffic from secured connections to the internet. Connections must be secured via the Connections page in order for these settings to apply.
Private Traffic: These settings apply to VNet to VNet and Branch to VNet traffic for all connections on this hub. During preview VNet and Branch prefixes must be defined explicitly.

Manage internet and private security configuration for hub connection. Internet security configuration can be updated selectively for individual collections. Private traffic security configuration must collectively secure all/no connections.

Microsoft Azure virtual network virtual hub security configuration virtual wan vwan public ip configuration azure firewall settings diagnostic settings internet traffic private traffic bypass azure fw routing table.png

To change security configuration select the connections and change Internet traffic to Azure Firewall and Private traffic to Send via Azure Firewall. Save the settings.

While securing internet traffic you will see warning message - Please note that securing internet traffic will cause the vWAN hub to advertise the default route to the internet with next-hop as Azure Firewall. This will disrupt internet connectivity for all Hub connections and must be done during maintenance hours to avoid impact to production workloads. Do you want to continue?

Microsoft azure virtual secure hub security configuration public ip internet traffic private traffic unsecured connectivity routing table bypass azure firewall.png

It takes few minutes to change status of Internet and Private traffic to Secured by Azure firewall.

Microsoft Azure portal azure firewall internet traffic private traffic send via azure firewall bypass virtual secured hub security configuration public ip configuration security providers routing table connections updates.png

All the rules are already in-place and configured Azure Firewall Policies in earlier article.

Once setting is changed, its time to test the VM connectivity, I will try to connect to vm1-vnet1-westus virtual machine from internet, since it doesn't have Public Ip address I will use Azure Firewall public ip to connect VM and ping connectivity is successful.

Microsoft Azure virtual machine azureadmin ssh ubuntu windows authenticity ecdsa fingerprint sudo apt update vwan virtual hub firewall testing.png

Next I will test VM connectivity between two VMs in the same region in different vNETs. Connectivity between those two Azure Virtual Machines are also successful.

Microsoft Azure virtual machine azureadmin ssh ubuntu remote connectivity azure hub secured firewall testing sudo apt update vwan virtual hub firewall testing.png

Another testing I did is testing website, as you can see I am getting curl reply for website but when testing any other website for example, I am receiving error curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to

Microsoft azure curl firewall manager rule collection dnat network application testing source destination opensssl ssl_error_syscall virtual wan vwan virtual hub virtual network secured.png

In the last, I tried to check ICMP ping connectivity between virtual machines situated in different regions across the secured hub, I tried all the different configuration combinations, but it never worked and connectivity never established. Finally to solve this issue I raised request with Microsoft Azure service desk. From them I got to know that connectivity between secured hub to hub over azure firewall is not yet supported. To resolve the issue private traffic route configuration will need to be set to Bypass Azure Firewall (Unsecured). I tested the connectivity with this configuration and it was successful.

Microsoft Azure bypass firewall secured by azure firewall security configuration virtual wan secured hub virtual network vnet vwan internet and private traffic security bypass security providers public Ip diagnostics.png

Useful Articles
Get Azure virtual machine backup reports using Powershell
Why is my Azure recovery services vault not getting deleted?
Create an Azure virtual machine scale set and load balancer using Terraform
Azure Terraform fixed Availibility Zones on Virtual Machine Scale Set
Writing and Using Terraform modules
Terraform Using one module variable in another module
Hashicorp Terraform dynamic block with example
Terraform for_each loop on map example
How to create a Storage Account in Microsoft Azure
Host static website on Azure Storage Account

Go Back


Blog Search

Page Views


Follow me on Blogarama