通过 ExpressRoute 为特定公共强制隧道 IP

Question

We've got some workloads on premises that talk to a client's public IP via VPN tunnel. So the current setup is kind of like this:

On Premises -> VPN tunnel -> client service (via Public IP)

Now we have to move those workloads to Azure and we already have some infra (including Hub/Spoke VNets, ExpressRoute circuit, etc) that we want to use.

Ideally we'd like traffic (to that public IP) be routed through ExpressRoute, so effectively it would like like this:

Azure Spoke VNet -> Azure Hub VNet -> ExpressRoute -> On premises -> VPN tunnel -> client service (via Public IP)

The question is what has to be done from each end?

Answer 1

You can enable BGP to propagate routes from your on-premises.network to Azure if you have an ExpressRoute connection between your on-premises.network and Azure.

You can use UDR to push traffic to an on-premises firewall or other NVA to process.network traffic before it is sent to the Inte.net, or you might have a default route advertised via BGP. You must setup Azure Firewall with Forced Tunnel setting enabled in order to support this configuration like below.

Go to firewall manager -> create new secured virtual.network -> Azure firewall.

In azure firewall make sure to enable force tunnelling like below:

You can enable Propagate gateway routes to get the appropriate routes to the on-premises.network.

If you advertise default routes. try to set up your routers so that traffic returns to Azure via the public peering path or the inte.net.

Once the traffic is routed to your on-premises you must take care of forwarding it to appropriate vpn tunnel.

To more in detail refer this link below:

Azure ExpressRoute | Microsoft Learn