Author : HASSAN MD TAREQ | Updated : 2022/01/24

Scenario

Let’s say we have workload deployed in Spoke VNet (i.e. Azure SQL Managed Instance, AKS etc.) and Hub VNet has VMs, Application Gateway, Firewall etc. On-premise applications, SQL clients (i.e. SSMS) will connect to workload. For security purposes, we need to inspect all traffic. Therefore incoming traffic from on-premise must go through Azure Firewall. Azure Firewall is deployed in Hub VNet’s AzureFirewallSubnet.

Route Table for GatewaySubnet

Create a route table with required settings & routes and assign it to GatewaySubnet:

Route Table for GatewaySubnet to force incoming on-premise traffic through Firewall Step 1

Route Table for GatewaySubnet to force incoming on-premise traffic through Firewall Step 2

Route Table for GatewaySubnet to force incoming on-premise traffic through Firewall Step 3

Route Table for GatewaySubnet to force incoming on-premise traffic through Firewall Step 4

Route Table for GatewaySubnet to force incoming on-premise traffic through Firewall Step 5

Route Table for GatewaySubnet to force incoming on-premise traffic through Firewall Step 6

Firewall Rule Collection Groups and Rule Collections

Network Rule Collection Groups

Application Rule Collection Groups

Example Rule Collections

Azure SQM Managed Instance

Managed Instance creates all necessary NSG rules and routes during provisioning. Therefore, no need worry about adding firewall rules for management traffic when overriding “0.0.0.0/0” with “Propagate gateway routes: No”. Firewall rules are needed to allow incoming on-premise traffic. Required firewall rules vary depending on Managed Instance connection type.

Azure SQL Managed Instance connection types

Redirect mode enables direct connectivity to Managed Instance resulting in improved latency and throughput and it requires ports 11000-11999 and 1433 to be open to the inbound traffic. Proxy mode enables proxy connectivity to Managed Instance and it requires only port 1433 to be open to the inbound traffic. Configuring this option applies to private endpoint only and does not affect public endpoint which always defaults to Proxy connection mode.

Step-1

“Route Table for GatewaySubnet” which is described above.

Step-2

Since the traffic is coming from on-premise to Firewall because of UDR in the Route Table of GatewaySubnet, now we need to add required Firewall rules to allow it so that traffic goes to Managed Instance (Firewall denies by default).

Proxy Mode: Azure Firewall Application Rule with FQDN filtering

Redirect Mode: Additional Azure Firewall Network Rule

Step-3

Managed Instance Network Security Group:

Managed Instance Route Table (only in case of “Redirect Mode”):

Step-4

Test from on-premise network

AKS

Note: no need to add NSG for AKS subnet

Application Gateway Private IP

Route for AKS with AGIC and WAF

PaaS Services

Route for PaaS Services Connected by Private Endpoint