We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see https://campus.barracuda.com/doc/71862301/ for further information on our EoS policy.

How to Configure User Defined Routes in Azure

  • Last updated on

Azure allows you to change the routing in your VNET with Azure User Defined Routes (UDR). You must enable IP forwarding for the Barracuda NG Firewall and then create and configure the routing table for the backend networks, so all traffic is routed through the Barracuda NG Firewall in the frontend subnet. The Azure routing table can be assigned to multiple backend subnets.


After the Azure routing table has been applied, the VMs in the backend networks are only reachable via the NG Firewall. This also means that existing Endpoints allowing direct access no longer work.

In this article:

Before you Begin

Step 1.  Enable IP Forwarding for the Barracuda NG Firewall VM

To forward traffic, you must enable IP forwarding for each network interface on the Barracuda NG Firewall VM.

  1. Open Azure PowerShell. 
  2. To enable IP forwarding for the primary network interface, enter:

    Get-AzureVM -ServiceName YOUR_CLOUD_SERVICE -Name YOUR_VM_NAME | Set-AzureIPForwarding -Enable


  3. If you are using a Barracuda NG Firewall VM with more than one network interface, you must also enable IP forwarding on the other network interfaces:

    Get-AzureVM -ServiceName YOUR_CLOUD_SERVICE -Name YOUR_VM_NAME | Set-AzureIPForwarding -NetworkInterfaceName YOUR_NIC_NAME -Enable


On the Azure networking level, your Barracuda NG Firewall VM is now allowed to forward IP packets. See the troubleshooting section below on how to check if IP forwarding is enabled for your interfaces.

Step 2.  Create an Azure Routing Table

Create a routing table in Azure and apply it the backend subnets of the VNET. Add a user-defined route to the routing table to change the default route for all VMs in the backend subnets to the Barracuda NG Firewall VM. The routing table can be applied to multiple backend subnets.

  1. Open Azure PowerShell.

  2. Create a new Azure Routing Table:

    New-AzureRouteTable -Name ROUTE_TABLE_NAME -Location YOUR_LOCATION


  3. Add the default route to the Azure Routing Table:

    Get-AzureRouteTable -Name YOUR_ROUTE_TABLE | Set-AzureRoute -RouteName ROUTE_NAME -AddressPrefix -NextHopType VirtualAppliance -NextHopIpAddress IP_ADDRESS_OF_NG_FIREWALL


    The NextHopIPAddress for the default route is the IP address of a network interface of the Barracuda NG Firewall. It does not have to be in the same subnet, so NG Firewall VMs with just one network interface can be used for routing.

  4. Assign the Azure routing table to the backend network: 

    Set-AzureSubnetRouteTable -VirtualNetworkName YOUR_VNET_NAME -SubnetName SUBNET_NAME -RouteTableName YOUR_BACKEND_ROUTING_TABLE_NAME

All traffic from the backend subnets is now routed through the Barracuda NG Firewall VM. Propagating the routing table changes to the VMs in the subnets can take a couple of minutes. See the Troubleshooting section below on how to query Azure for the actual (effective) routing table used by the VM.

Step 3. Create Access Rules on the Barracuda NG Firewall

By default, all outgoing traffic from the backend is blocked by the NG Firewall. Create an access rule to allow access to the Internet.

  1. Log into the Barracuda NG Firewall.
  2. Create a PASS access rule:
    • Source – Enter the backend subnet networks. 
    • Service – Select Any.
    • Destination – Select Internet.
    • Connection – Select Dynamic SNAT
  3. Click OK
  4. Place the access rule so that no access rule above it matches the same traffic.
  5. Click Send Changes and Activate.

Your VMs in the backend networks can now access the Internet via the Barracuda NG Firewall.


  • Verify that IP forwarding is enabled for both network interfaces on the Barracuda NG Firewall.  

    Get-AzureVM -ServiceName CLOUD_SERVICE_NAME -Name VM_NAME | Get-AzureIPForwarding Get-AzureVM -ServiceName CLOUD_SERVICE_NAME -Name VM_NAME | Get-AzureIPForwarding -NetworkInterfaceName NIC2
  • Check the effective routing table used by the VMs in the backend networks. 

    Get-AzureVM -ServiceName DOCNET2 -Name DOC-NG2 | Get-AzureEffectiveRouteTable


  • If traffic is not forwarded through the NG Firewall even though it is enabled for each network interface and the correct access rule matches, try creating a new VNET. Using a new VNET requires you to redeploy your Barracuda NG Firewall VM.
Last updated on