Understanding Azure Hub & Spoke architecture
Hello Guys,
I have been involved with Azure for about 1 year now and have been deploying production stuff here and there mostly with terraform.
Recently I got a project for which I designed and began implementing a hub and spoke architecture.
My main inspiration comes from the recommended design of Microsoft (https://learn.microsoft.com/en-us/azure/architecture/networking/architecture/hub-spoke).
In a nutshell, I have 2 subscriptions and each one contains a vnet. The goal of this is for the spoke subscription to egress through the hub vnet, using firewall for both traffic control and SNAT.
Most of setup works fine (Private Bastion, private links, AFD, Firewall, appgw etc …) but I hit a wall yesterday when configuring the vnet peering between the hub and spoke vnets.
When attaching a UDR - forwarding all traffic to the hub’s firewall private ip - to my VM’s subnet in the spoke. The VM looses internet connection instantly (DNS still works).
I pretty much checked all the configuration back and forth several times and cannot find what is not working.
Here’s a list of what I checked until now (probably not exhaustive)
- peering config (Allowed access + forward traffic activated for both, gateway traffic allowed in hub due to vpn gateway receiving traffic from HQ)
- VM’s subnet’s NSG
- Firewall rules (pretty much open bar egress now)
- UDR config (only default route for 0.0.0.0/0 through fw applied)
- NIC effective routes
- …
The really weird thing is that when checking FW logs in analytics, I never see traffic coming from my spoke subnet. The VM in the hub work fine, they egress through FW without problem.
I have also been looking at possible routing asymmetry, I applied a UDR to the AzureFirewallSubnet with no luck. But I highly doubt it’s the root cause as I don’t see traffic coming in the logs.
Lastly, my FW is standard SKU.
Does anyone have an idea here ? I’m pretty much out of idea and have been circling around for a few hours.