Share via

How to setup forced tunneling when using shared express route circuit & azure firewall ?

Gourishankar Menon 20 Reputation points
2025-11-13T16:22:25.8133333+00:00

I am looking for some advise on how to setup forced tunneling when using a shared express route circuit.

Setup : I have a hub and spoke environment with Azure firewall & Virtual Network Gateway (Express) (for on-prem connecitivty) deployed in the hub. The underlying circuit used for express route is shared across 2 environments (env-1 & env-2) & is terminating in env-1 . The firewall is deployed with Management subnet. All spokes are peered to the hub & have a UDR which points to the firewall. BGP propagation is disabled on the spoke route tables.

Requirement : Route all internet bound ingress and egress traffic through the on-prem firewall.

Question : As I understand it there are 2 options to do this.

Option-1 : Advertise 0.0.0.0/0 route from the on-prem edge router to Azure. The concern I have with this is that since the circuit is shared across 2 environments, how can I advertise the route only for the env-2. Also, will these connection be stateful all the way through (i.e. do I need to worry about return traffic) ?

Option-2 : Add a UDR to the FirewallSubnet to point to the on-prem firewall. Is there any documentation / guidance on how I can do this ?. Also, will these connection be stateful all the way through (i.e. do I need to worry about return traffic) ?

Thank you.

Azure ExpressRoute
Azure ExpressRoute
An Azure service that provides private connections between Azure datacenters and infrastructure, either on premises or in a colocation environment.
Answer accepted by question author
  1. Venkatesan S 1,170 Reputation points Microsoft External Staff Moderator
    2025-11-13T19:26:06.5366667+00:00

    Hi Gourishankar Menon,

    Thanks for reaching out Microsoft Q&A.

    To set up forced tunneling for internet-bound traffic from your Azure environment to your on-premises firewall using a shared ExpressRoute circuit, both options you mentioned are valid but need careful implementation due to the shared nature of the circuit and routing requirements.

    Option 1: Advertise 0.0.0.0/0 from On-Prem Edge

    • Advertising 0.0.0.0/0 via BGP will send all internet-bound traffic from Azure to on-premises through ExpressRoute for any environment attached to the circuit.​
    • With a shared circuit, you can't granularly scope BGP advertisements to just one environment (such as env-2) if both environments use the same peering and circuit. The default route will apply to all VNETs attached to the peering unless you separate routing at the network layer using route filters or multiple peerings.​
    • The connections themselves are “stateful” as long as the bidirectional route exists—return traffic will follow the same path unless overridden by UDRs or asymmetric routing introduced by responses using Internet breakout in Azure. Asymmetric routing could occur if BGP learns 0.0.0.0/0 for multiple environments and the firewall is not configured to handle multi-environment traffic appropriately. Ensuring return traffic passes back through the same path may require careful UDR design and firewall rules.​

    Option 2: Add UDR to AzureFirewallSubnet Pointing to On-Prem FW

    • You can configure User Defined Routes (UDRs) pointing the 0.0.0.0/0 next hop to your on-prem firewall for the AzureFirewallSubnet or other subnets as needed. This allows for more granular control, especially if BGP propagation is disabled and spokes use static UDRs.​
    • Microsoft recommends deploying a dedicated AzureFirewallManagementSubnet for management traffic with a default route to the internet, while customer traffic in the AzureFirewallSubnet can use UDRs pointing to on-premises firewalls or network virtual appliances.​
    • In terms of stateful connections, forced tunneling via UDRs ensures all traffic, including responses, flows through the specified next hop, maintaining connection state. Care must be taken to avoid routing loops or unintended drops in return traffic, especially when combining UDR and BGP advertisements.

    Use Option 2: Configure User Defined Routes (UDRs) on the AzureFirewallSubnet in env-2 to send internet traffic to the on-prem firewall. This lets you control forced tunneling per environment on the shared circuit and keeps traffic stateful. Avoid advertising 0.0.0.0/0 via BGP on the shared circuit, as it affects both environments.

    If I add a UDR on the AzureFirewallSubnet that points 0.0.0.0/0 to the on-prem firewall, do I need any additional routes?

    Yes, you still need one more route change. You must add routes on the GatewaySubnet so that on-prem → spoke traffic is forced through the Azure Firewall. Without that, return traffic can become asymmetric. Once the GatewaySubnet routes and the UDR on the AzureFirewallSubnet are in place, the traffic will remain stateful and work correctly.

    Reference:

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2025-11-13T16:23:28.79+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    To set up forced tunneling in your Azure environment with a shared ExpressRoute circuit and Azure Firewall, you can consider the following options:

    Option 1: Advertise 0.0.0.0/0 Route

    • Routing: You can advertise the 0.0.0.0/0 route from your on-premises edge router to Azure. This will direct all internet-bound traffic through your on-premises firewall.
    • Shared Circuit Concern: Since you are using a shared ExpressRoute circuit, you need to ensure that the route advertisement is specific to env-2. This can be managed by configuring route filters or using BGP attributes to control which routes are advertised to which Azure environments.
    • Statefulness: Connections will be stateful as long as the return traffic is routed back through the same path. Therefore, you need to ensure that your on-prem firewall is configured to handle return traffic appropriately.

    Option 2: User Defined Route (UDR) on Firewall Subnet

    • Routing: You can add a UDR to the AzureFirewallSubnet that points to your on-premises firewall. This will ensure that traffic destined for the internet is routed through the on-prem firewall.
    • Documentation: For guidance on creating UDRs, you can refer to the Azure documentation on configuring routes. Ensure that BGP propagation is disabled on the spoke route tables to prevent conflicts with your UDR.
    • Statefulness: Similar to Option 1, the connections will be stateful, and you must ensure that return traffic is managed correctly by your on-prem firewall.

    In both options, careful configuration is necessary to ensure that traffic flows correctly and that return traffic is handled appropriately.

    References:

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.