Azure IaaS Lab – Routing (UDR)

This post is part of a series, for the series contents see:
https://irankon.wordpress.com/post-lists/azure-iaas-lab-project/

For the code listed in this post please see:
https://github.com/irankon/azure-iaas-lab/blob/master/udr_setup.ps1

The whole point of the Ubuntu firewall is as a cheap representation of a marketplace appliance like a Check Point or Cisco ASA, now that I’ve got that in place the next step was to push some traffic through it – which is where UDR (user defined routing) came into play.

What we’re doing is setting up some routes to push traffic from my various subnets over the link peerings to the internal facing interface of my firewall VM:

UDR Diagram

Going back to the original diagram, it’s the newly added red arrows above.

When I was playing around with this I came across some gotchas so let’s get them out of the way first:

  1. As mentioned in a previous post (when we setup the firewall VM) the NIC on the firewall VM that we’re going to be forwarding traffic to needs to be set to allow IP forwarding
  2. The peering relationships between the VNETs also need to be set to allow forwarded traffic

The high-level of setting up UDR is this:

  1. You create a route (give it a sensible name).
  2. Next you create a routing table and add your route from step 1 to it.
  3. Finally you apply the routing table to the relevant subnet in your VNET.

So here’s the steps, starting with pumping traffic flows between my management and DMZ web subnets via the firewall:

As always, start off by getting logged in

#Login to Azure and resource manager
Add-AzureAccount
Login-AzureRmAccount

#Just in case you have multiple subscriptions check which one you're working in
Get-AzureSubscription

#If you need to select your test subscription use:
#Set-AzureSubscription -SubscriptionName <name>

Step 1 is to create a route to the DMZ web subnet (192.168.1.0/24) via the Zentyal firewall interface (10.2.1.4):

#Create a route from the hub to the DMZ via the inside interface of the firewall

#Get our vnet variable
$vnet = Get-AzureRmVirtualNetwork -ResourceGroupName hub-rg -Name hub-vnet

#AddressPrefix specifies the detination
#Create a route to the the DMZ web subnet via the Zentyal firewall
#NextHopIPAddress is the inside interface of the Zentyal box

$HubDMZRoute = New-AzureRmRouteConfig -Name Hub-MgmtSub-to-DMZ-WebSub `
 -AddressPrefix 192.168.1.0/24 -NextHopType VirtualAppliance `
 -NextHopIpAddress 10.2.1.4

Step 2, create a routing table with the route from step 1 as an entry:

#Create a routing table with the route to the DMZ web subnet as an entry

$routeTable = New-AzureRmRouteTable -ResourceGroupName hub-rg -Location "North Europe" `
 -Name hub-udr -Route $HubDMZRoute

Finally, step 3, apply that routing table to our management subnet so that any traffic from there to the DMZ web subnet will be routed via the firewall:


#Apply to my mgmt subnet
#In this case, AddressPrefix refers to the mgmt subnet

Set-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name mgmt-subnet `
 -AddressPrefix 10.1.1.0/24 -RouteTable $routeTable

Set-AzureRmVirtualNetwork -VirtualNetwork $vnet

At this point traffic from the management subnet will be sent to the firewall, on its way to the DMZ web subnet, but when the firewall forwards it over the peering link towards the DMZ VNET it will be dropped.  This is because that peering link hasn’t been set to allow forwarded traffic, so that needs to fixed with:


#As the firewall will now be the man in the middle the DMZ VNET will see traffic coming from it
#Therefore, I need to set the peering relationship between the DMZ and Security VNETs so that forwarded traffic is accepted

$DMZToSecurityLink = Get-AzureRmVirtualNetworkPeering -VirtualNetworkName dmz-vnet -ResourceGroupName dmz-rg -Name DMZToSecurity-Peer
$DMZToSecurityLink.AllowForwardedTraffic = $true
Set-AzureRmVirtualNetworkPeering -VirtualNetworkPeering $DMZToSecurityLink

As things stand, traffic in the direction of management –> DMZ web will go via the firewall but I suspect that the return traffic will go via the DMZ & hub VNET peering relationship as the DMZ subnets don’t having any routing applied to them.  Asynchronous routing is never a good thing so the next step is to setup routing in the other direction:  route traffic from the DMZ web subnet to the management subnet back via the firewall:


#Now let's do the same from traffic in the other direction
#Create a route from the DMZ to the hub via the inside interface of the firewall

#Get our vnet variable
$vnet = Get-AzureRmVirtualNetwork -ResourceGroupName dmz-rg -Name dmz-vnet

#AddressPrefix specifies the destination
#NextHopIPAddress is the inside interface of the Zentyal box

$DMZHubRoute = New-AzureRmRouteConfig -Name DMZ-WebSub-to-Hub-MgmtSub `
-AddressPrefix 10.1.1.0/24 -NextHopType VirtualAppliance `
-NextHopIpAddress 10.2.1.4

$routeTable = New-AzureRmRouteTable -ResourceGroupName dmz-rg -Location "North Europe" `
-Name dmz-udr -Route $DMZHubRoute

#Apply to my DMZ subnet
#In this case, AddressPrefix refers to the web subnet

Set-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name web-subnet `
-AddressPrefix 192.168.1.0/24 -RouteTable $routeTable

Set-AzureRmVirtualNetwork -VirtualNetwork $vnet

#And the on the hub side of things allow traffic forwarded from the firewall
#This will apply for all traffic from other networks to mgmt via the firewall
#because that peering relationship from the security vnet will be used generally

$HubToSecurityLink = Get-AzureRmVirtualNetworkPeering -VirtualNetworkName hub-vnet -ResourceGroupName hub-rg -Name HubToSecurity-Peer
$HubToSecurityLink.AllowForwardedTraffic = $true
Set-AzureRmVirtualNetworkPeering -VirtualNetworkPeering $HubToSecurityLink

Now just simply rinse and repeat for the other  combinations of traffic routes:

  1. Management to AD Subnet (and vica-versa)
  2. DMZ web to AD Subnet (and vica-versa)
###############################
# Mgmt and Internal UDR Setup #
###############################

#Create a route from the hub to internal via the inside interface of the firewall

#Get our vnet variable
$vnet = Get-AzureRmVirtualNetwork -ResourceGroupName hub-rg -Name hub-vnet

#Update the existing hub route table with this new route
#This is key as we're updating an exsiting one so the code is slightly different
Get-AzureRmRouteTable -ResourceGroupName hub-rg -Name "hub-udr" `
| Add-AzureRmRouteConfig -Name Hub-MgmtSub-to-Internal-ADSub -AddressPrefix 172.1.1.0/24 -NextHopType VirtualAppliance -NextHopIpAddress 10.2.1.4 `
| Set-AzureRmRouteTable

$routeTable = Get-AzureRmRouteTable -ResourceGroupName hub-rg -Name "hub-udr"

#Apply to my mgmt subnet
#In this case, AddressPrefix refers to the mgmt subnet
Set-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name mgmt-subnet `
-AddressPrefix 10.1.1.0/24 -RouteTable $routeTable

Set-AzureRmVirtualNetwork -VirtualNetwork $vnet

#Now let's do the same from traffic in the other direction
#Create a route from Internal to the hub via the inside interface of the firewall

#Get our vnet variable
$vnet = Get-AzureRmVirtualNetwork -ResourceGroupName internal-rg -Name internal-vnet

#AddressPrefix specifies the destination
#NextHopIPAddress is the inside interface of the Zentyal box
$InternalHubRoute = New-AzureRmRouteConfig -Name Internal-ADSub-to-Hub-MgmtSub `
-AddressPrefix 10.1.1.0/24 -NextHopType VirtualAppliance `
-NextHopIpAddress 10.2.1.4

$routeTable = New-AzureRmRouteTable -ResourceGroupName internal-rg -Location "North Europe" `
-Name internal-udr -Route $InternalHubRoute

#Apply to my internal AD subnet
#In this case, AddressPrefix refers to the AD subnet
Set-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name ad-subnet `
-AddressPrefix 172.1.1.0/24 -RouteTable $routeTable

Set-AzureRmVirtualNetwork -VirtualNetwork $vnet

#As the firewall will now be the man in the middle the Internal VNET will see traffic coming from it
#Therefore, I need to set the peering relationship between the Internal and Security VNETs so that forwarded traffic is accepted
$InternalToSecurityLink = Get-AzureRmVirtualNetworkPeering -VirtualNetworkName internal-vnet -ResourceGroupName internal-rg -Name InternalToSecurity-Peer
$InternalToSecurityLink.AllowForwardedTraffic = $true
Set-AzureRmVirtualNetworkPeering -VirtualNetworkPeering $InternalToSecurityLink

###############################
# DMZ and Internal UDR Setup #
###############################

#Create a route from the DMZ to internal via the inside interface of the firewall

#Get our vnet variable
$vnet = Get-AzureRmVirtualNetwork -ResourceGroupName dmz-rg -Name dmz-vnet

#Update the existing dmz route table with this new route
#This is key as we're updating an exsiting one so the code is slightly different
Get-AzureRmRouteTable -ResourceGroupName dmz-rg -Name "dmz-udr" `
| Add-AzureRmRouteConfig -Name DMZ-WebSub-to-Internal-ADSub -AddressPrefix 172.1.1.0/24 -NextHopType VirtualAppliance -NextHopIpAddress 10.2.1.4 `
| Set-AzureRmRouteTable

$routeTable = Get-AzureRmRouteTable -ResourceGroupName dmz-rg -Name "dmz-udr"

#Apply to my dmz web subnet
#In this case, AddressPrefix refers to the mgmt subnet
Set-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name web-subnet `
-AddressPrefix 192.168.1.0/24 -RouteTable $routeTable

Set-AzureRmVirtualNetwork -VirtualNetwork $vnet

#Now let's do the same from traffic in the other direction
#Create a route from Internal to the dmz via the inside interface of the firewall

#Get our vnet variable
$vnet = Get-AzureRmVirtualNetwork -ResourceGroupName internal-rg -Name internal-vnet

#Update the existing internal route table with this new route
#This is key as we're updating an exsiting one so the code is slightly different
Get-AzureRmRouteTable -ResourceGroupName internal-rg -Name "internal-udr" `
| Add-AzureRmRouteConfig -Name Internal-ADSub-to-DMZ-WebSub -AddressPrefix 192.168.1.0/24 -NextHopType VirtualAppliance -NextHopIpAddress 10.2.1.4 `
| Set-AzureRmRouteTable

$routeTable = Get-AzureRmRouteTable -ResourceGroupName internal-rg -Name "internal-udr"

#Apply to my internal AD subnet
#In this case, AddressPrefix refers to the mgmt subnet
Set-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name AD-subnet `
-AddressPrefix 172.1.1.0/24 -RouteTable $routeTable

Set-AzureRmVirtualNetwork -VirtualNetwork $vnet

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: