Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
CP-NDA
Collaborator
Jump to solution

Filter VNET Peering traffic

Hi,

 

We are setting up some VNET Peerings between multiple subscription

VNET Peering are UP and connected however we are not able to filter traffic coming from these VNET (Peered) via the CloudGuard GW

When working with local subnet we jut change the UDR to use CloudGuard as a Gateway however that feature is not availbale with the VNET Peering.

Do we need to implement a Transit GW ?

Is there any documentation / support on this setup ?

Thank you

0 Kudos
1 Solution

Accepted Solutions
Nir_Shamir
Employee Employee
Employee

Hi,

what you need to do is to add a UDR in the peered subnet (the one that is peered to the GW vNet) and forward the traffic that you need inspected to the GW IP (if its a single GW) or the Internal-LB IP (if it's a cluster or VMSS).

the peered subnet can reach that IP because of the peering and will route the traffic directly to the GWs via the peering connection.

View solution in original post

4 Replies
Nir_Shamir
Employee Employee
Employee

Hi,

what you need to do is to add a UDR in the peered subnet (the one that is peered to the GW vNet) and forward the traffic that you need inspected to the GW IP (if its a single GW) or the Internal-LB IP (if it's a cluster or VMSS).

the peered subnet can reach that IP because of the peering and will route the traffic directly to the GWs via the peering connection.

CP-NDA
Collaborator

Hi @Nir_Shamir 

 

I will do the test but in terms of security we are not managing the second tenant. So if the UDR is changed that means they will have full access to our VNET?

How can we control that setting ?

Thank you

 

0 Kudos
Nir_Shamir
Employee Employee
Employee

you can deploy NSGs on your Subnets.

Also if you Subnets have UDRs to have the return traffic go through the Firewall then even if they don't do the UDR on their end they might reach your resources directly but the return traffic will go through the Firewall which will drop those connections as Out Of State and they won't be able to reach them or open any connections to them.

0 Kudos
CP-NDA
Collaborator

@Nir_Shamir  Indeed we've been able to validate the Out of state during our tests but I though that it would be possible to have a more secure and best solution. the traffic should not hit the machines even if they change the UDR

I will check with NSG to only allow connection to CloudGuard from the remote tenant

Thank you !

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.