Azure allows you to change the routing in your VNET with Azure User Defined Routes (UDR). You must enable IP forwarding for the Barracuda NextGen Firewall F-Series and then create and configure the routing table for the backend networks, so all traffic is routed through the Barracuda NextGen Firewall F-Series in the frontend subnet. The Azure routing table can be assigned to multiple backend subnets. F-Series Firewalls using multiple network interfaces do not support high availability deployments.
After the Azure routing table has been applied, the VMs in the backend networks are only reachable via the NextGen Firewall F-Series. This also means that existing Endpoints allowing direct access no longer work.
Before you begin
- Deploy a Barracuda NextGen Firewall F-Series in the Azure cloud. For more information, see Microsoft Azure Deployments using Azure Service Manager (ASM).
- Install Azure PowerShell version 0.9.8 or higher.
Step 1. Enable IP forwarding for the Barracuda NextGen Firewall F-Series VM
To forward traffic, you must enable IP forwarding for each network interface on the Barracuda NextGen Firewall F-Series VM.
- Open Azure PowerShell.
To enable IP forwarding for the primary network interface, enter:
Get-AzureVM -ServiceName YOUR_CLOUD_SERVICE -Name YOUR_VM_NAME | Set-AzureIPForwarding -Enable
If you are using a Barracuda NextGen Firewall F-Series VM with more than one network interface, you must also enable IP forwarding on the other network interfaces:
Get-AzureVM -ServiceName YOUR_CLOUD_SERVICE -Name YOUR_VM_NAME | Set-AzureIPForwarding -NetworkInterfaceName YOUR_NIC_NAME -Enable
On the Azure networking level, your Barracuda NextGen Firewall F-Series VM is now allowed to forward IP packets. See the troubleshooting section below on how to check if IP forwarding is enabled for your interfaces.
Step 2. Create an Azure route table
Create a routing table in Azure and apply it the backend subnets of the VNET. Add a user-defined route to the routing table to change the default route for all VMs in the backend subnets to the Barracuda NextGen Firewall F-Series VM. The routing table can be applied to multiple backend subnets.
Open Azure PowerShell.
Create a new Azure Routing Table:
New-AzureRouteTable -Name ROUTE_TABLE_NAME -Location YOUR_LOCATION
Add the default route to the Azure Routing Table:
Get-AzureRouteTable -Name YOUR_ROUTE_TABLE | Set-AzureRoute -RouteName ROUTE_NAME -AddressPrefix 0.0.0.0/0 -NextHopType VirtualAppliance -NextHopIpAddress IP_ADDRESS_OF_NG_FIREWALL
Assign the Azure routing table to the backend network:
Set-AzureSubnetRouteTable -VirtualNetworkName YOUR_VNET_NAME -SubnetName SUBNET_NAME -RouteTableName YOUR_BACKEND_ROUTING_TABLE_NAME
All traffic from the backend subnets is now routed through the Barracuda NextGen Firewall F-Series VM. Propagating the routing table changes to the VMs in the subnets can take a couple of minutes. See the Troubleshooting section below on how to query Azure for the actual (effective) routing table used by the VM.
Step 3. Create access rules on the Barracuda NextGen Firewall F-Series
By default, all outgoing traffic from the backend is blocked by the NextGen Firewall F-Series. Create an access rule to allow access to the Internet.
- Log into the Barracuda NextGen Firewall F-Series.
- Create a PASS access rule:
- Source – Enter the backend subnet networks.
- Service – Select Any.
- Destination – Select Internet.
- Connection – Select Dynamic SNAT.
- Click OK.
- Place the access rule so that no access rule above it matches the same traffic.
- Click Send Changes and Activate.
Your VMs in the backend networks can now access the Internet via the Barracuda NextGen Firewall F-Series.
Verify that IP forwarding is enabled for both network interfaces on the Barracuda NextGen Firewall F-Series.
Get-AzureVM -ServiceName CLOUD_SERVICE_NAME -Name VM_NAME | Get-AzureIPForwarding Get-AzureVM -ServiceName CLOUD_SERVICE_NAME -Name VM_NAME | Get-AzureIPForwarding -NetworkInterfaceName NIC2
Check the effective routing table used by the VMs in the backend networks.
Get-AzureVM -ServiceName DOCNET2 -Name DOC-NG2 | Get-AzureEffectiveRouteTable
- If traffic is not forwarded through the NextGen Firewall F-Series even though it is enabled for each network interface and the correct access rule matches, try creating a new VNET. Using a new VNET requires you to redeploy your Barracuda NextGen Firewall F-Series VM.
Check Network > Azure UDR to see the UDR route table for the VNET. UDR routes pointing to the F-Series Firewalls are marked with a green icon.