https://community.checkpoint.com/t5/Cloud-Firewall/Filter-VNET-Peering-traffic/m-p/168053#M587 <P>Hi,</P> <P>what you need to do is to add a UDR in the peered subnet (the one that is peered to the GW vNet) and forward the traffic that you need inspected to the GW IP (if its a single GW) or the Internal-LB IP (if it's a cluster or VMSS).</P> <P>the peered subnet can reach that IP because of the peering and will route the traffic directly to the GWs via the peering connection.</P> Tue, 17 Jan 2023 11:45:03 GMT Nir_Shamir 2023-01-17T11:45:03Z https://community.checkpoint.com/t5/Cloud-Firewall/Filter-VNET-Peering-traffic/m-p/168047#M586 <P>Hi,</P><P>&nbsp;</P><P>We are setting up some VNET Peerings between multiple subscription</P><P>VNET Peering are UP and connected however we are not able to filter traffic coming from these VNET (Peered) via the CloudGuard GW</P><P>When working with local subnet we jut change the UDR to use CloudGuard as a Gateway however that feature is not availbale with the VNET Peering.</P><P>Do we need to implement a Transit GW ?</P><P>Is there any documentation / support on this setup ?</P><P>Thank you</P> Tue, 17 Jan 2023 11:31:33 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Filter-VNET-Peering-traffic/m-p/168047#M586 CP-NDA 2023-01-17T11:31:33Z https://community.checkpoint.com/t5/Cloud-Firewall/Filter-VNET-Peering-traffic/m-p/168053#M587 <P>Hi,</P> <P>what you need to do is to add a UDR in the peered subnet (the one that is peered to the GW vNet) and forward the traffic that you need inspected to the GW IP (if its a single GW) or the Internal-LB IP (if it's a cluster or VMSS).</P> <P>the peered subnet can reach that IP because of the peering and will route the traffic directly to the GWs via the peering connection.</P> Tue, 17 Jan 2023 11:45:03 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Filter-VNET-Peering-traffic/m-p/168053#M587 Nir_Shamir 2023-01-17T11:45:03Z https://community.checkpoint.com/t5/Cloud-Firewall/Filter-VNET-Peering-traffic/m-p/168055#M588 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/1792">@Nir_Shamir</a>&nbsp;</P><P>&nbsp;</P><P>I will do the test but in terms of security we are not managing the second tenant. So if the UDR is changed that means they will have full access to our VNET?</P><P>How can we control that setting ?</P><P>Thank you</P><P>&nbsp;</P> Tue, 17 Jan 2023 11:47:24 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Filter-VNET-Peering-traffic/m-p/168055#M588 CP-NDA 2023-01-17T11:47:24Z https://community.checkpoint.com/t5/Cloud-Firewall/Filter-VNET-Peering-traffic/m-p/168056#M589 <P>you can deploy NSGs on your Subnets.</P> <P>Also if you Subnets have UDRs to have the return traffic go through the Firewall then even if they don't do the UDR on their end they might reach your resources directly but the return traffic will go through the Firewall which will drop those connections as Out Of State and they won't be able to reach them or open any connections to them.</P> Tue, 17 Jan 2023 12:02:44 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Filter-VNET-Peering-traffic/m-p/168056#M589 Nir_Shamir 2023-01-17T12:02:44Z https://community.checkpoint.com/t5/Cloud-Firewall/Filter-VNET-Peering-traffic/m-p/168058#M590 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/1792">@Nir_Shamir</a>&nbsp; Indeed we've been able to validate the Out of state during our tests but I though that it would be possible to have a more secure and best solution. the traffic should not hit the machines even if they change the UDR</P><P>I will check with NSG to only allow connection to CloudGuard from the remote tenant</P><P>Thank you !</P> Tue, 17 Jan 2023 12:18:02 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Filter-VNET-Peering-traffic/m-p/168058#M590 CP-NDA 2023-01-17T12:18:02Z