A company has a hub-spoke network topology. The hub virtual network contains an Azure Firewall and an ExpressRoute gateway for on-premises connectivity. The spoke virtual network hosts a critical application. They need to ensure that all outbound traffic from the spoke to the internet and to on-premises networks is routed through the Azure Firewall. They configure a user-defined route (UDR) on the spoke subnet with address prefix 0.0.0.0/0 and next hop as the Azure Firewall's private IP. They also disable 'Virtual network gateway route propagation' on the spoke subnet. However, traffic to on-premises still bypasses the firewall and goes through the ExpressRoute gateway. What is the most likely cause?
Trap 1: The Azure Firewall is not in the same region as the spoke.
Azure Firewall can be in a different region than the spoke VNet. Regional differences do not affect routing if the firewall is accessible via the hub VNet.
Trap 2: The ExpressRoute gateway's BGP routes are still overriding the UDR…
Disabling gateway route propagation removes learned routes from the subnet's effective routes. If properly disabled, BGP routes should not be present. This is not the cause.
Trap 3: The route table is not associated with the spoke subnet.
If the route table were not associated with the subnet, no UDR would apply at all, and traffic would use default routes. But internet traffic was being routed through the firewall, indicating the route table is associated.
- A
The Azure Firewall is not in the same region as the spoke.
Why wrong: Azure Firewall can be in a different region than the spoke VNet. Regional differences do not affect routing if the firewall is accessible via the hub VNet.
- B
The ExpressRoute gateway's BGP routes are still overriding the UDR because gateway propagation is not fully disabled.
Why wrong: Disabling gateway route propagation removes learned routes from the subnet's effective routes. If properly disabled, BGP routes should not be present. This is not the cause.
- C
The spoke subnet does not have a route for the on-premises prefix pointing to the firewall.
The 0.0.0.0/0 UDR only applies to traffic with no more specific match. On-premises traffic has a specific address prefix. To route it through the firewall, you must add a UDR with that specific prefix and the next hop as the firewall.
- D
The route table is not associated with the spoke subnet.
Why wrong: If the route table were not associated with the subnet, no UDR would apply at all, and traffic would use default routes. But internet traffic was being routed through the firewall, indicating the route table is associated.