Azure allows you to change the routing in your VNET with Azure User Defined Routes (UDR). You must enable IP forwarding for the Barracuda NG Firewall and then create and configure the routing table for the backend networks, so all traffic is routed through the Barracuda NG Firewall in the frontend subnet. The Azure routing table can be assigned to multiple backend subnets.
After the Azure routing table has been applied, the VMs in the backend networks are only reachable via the NG Firewall. This also means that existing Endpoints allowing direct access no longer work.
In this article:
Before you Begin
- Deploy a Barracuda NG Firewall in the Azure cloud. For more information, see How to Deploy the Barracuda NG Firewall in Microsoft Azure (Single Interface) or How to Deploy the Barracuda NG Firewall on Microsoft Azure via PowerShell.
- Install and configure Azure PowerShell. For more information, see Step 1 in How to Deploy the Barracuda NG Firewall on Microsoft Azure via PowerShell.
Step 1. Enable IP Forwarding for the Barracuda NG Firewall VM
To forward traffic, you must enable IP forwarding for each network interface on the Barracuda NG Firewall VM.
- Open Azure PowerShell.
To enable IP forwarding for the primary network interface, enter:
Get-AzureVM -ServiceName YOUR_CLOUD_SERVICE -Name YOUR_VM_NAME | Set-AzureIPForwarding -Enable
If you are using a Barracuda NG Firewall VM with more than one network interface, you must also enable IP forwarding on the other network interfaces:
Get-AzureVM -ServiceName YOUR_CLOUD_SERVICE -Name YOUR_VM_NAME | Set-AzureIPForwarding -NetworkInterfaceName YOUR_NIC_NAME -Enable
On the Azure networking level, your Barracuda NG Firewall VM is now allowed to forward IP packets. See the troubleshooting section below on how to check if IP forwarding is enabled for your interfaces.
Step 2. Create an Azure Routing Table
Create a routing table in Azure and apply it the backend subnets of the VNET. Add a user-defined route to the routing table to change the default route for all VMs in the backend subnets to the Barracuda NG Firewall VM. The routing table can be applied to multiple backend subnets.
Open Azure PowerShell.
Create a new Azure Routing Table:
New-AzureRouteTable -Name ROUTE_TABLE_NAME -Location YOUR_LOCATION
Add the default route to the Azure Routing Table:
Get-AzureRouteTable -Name YOUR_ROUTE_TABLE | Set-AzureRoute -RouteName ROUTE_NAME -AddressPrefix 0.0.0.0/0 -NextHopType VirtualAppliance -NextHopIpAddress IP_ADDRESS_OF_NG_FIREWALL
Assign the Azure routing table to the backend network:
Set-AzureSubnetRouteTable -VirtualNetworkName YOUR_VNET_NAME -SubnetName SUBNET_NAME -RouteTableName YOUR_BACKEND_ROUTING_TABLE_NAME
All traffic from the backend subnets is now routed through the Barracuda NG Firewall VM. Propagating the routing table changes to the VMs in the subnets can take a couple of minutes. See the Troubleshooting section below on how to query Azure for the actual (effective) routing table used by the VM.
Step 3. Create Access Rules on the Barracuda NG Firewall
By default, all outgoing traffic from the backend is blocked by the NG Firewall. Create an access rule to allow access to the Internet.
- Log into the Barracuda NG Firewall.
- Create a PASS access rule:
- Source – Enter the backend subnet networks.
- Service – Select Any.
- Destination – Select Internet.
- Connection – Select Dynamic SNAT.
- Click OK.
- Place the access rule so that no access rule above it matches the same traffic.
- Click Send Changes and Activate.
Your VMs in the backend networks can now access the Internet via the Barracuda NG Firewall.
Verify that IP forwarding is enabled for both network interfaces on the Barracuda NG Firewall.
Get-AzureVM -ServiceName CLOUD_SERVICE_NAME -Name VM_NAME | Get-AzureIPForwarding Get-AzureVM -ServiceName CLOUD_SERVICE_NAME -Name VM_NAME | Get-AzureIPForwarding -NetworkInterfaceName NIC2
Check the effective routing table used by the VMs in the backend networks.
Get-AzureVM -ServiceName DOCNET2 -Name DOC-NG2 | Get-AzureEffectiveRouteTable
- If traffic is not forwarded through the NG Firewall even though it is enabled for each network interface and the correct access rule matches, try creating a new VNET. Using a new VNET requires you to redeploy your Barracuda NG Firewall VM.