Deployment of Firewall ends with Provisioning state 'Failed'

Yen Sheng 0

I am having a hub/spoke network architecture. Whenever I tried provisioning Azure Firewall, it will go into a Failed state. And it seems like the only way to resolve this is to add a route table to it and configure a 0.0.0.0/0 route to the Internet.

My understanding is Azure Firewall by default does not requires any route table, right?

Any help would be appreciated

Rohith Vinnakota 680 Reputation points Microsoft Vendor

2024-08-29T03:12:34.59+00:00

Hi Yen Sheng,
Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

Could you please provide the error details and a screenshot of the error message? This information would be very helpful in resolving the issue.

Thank you,
Vinnakota Rohith
Yen Sheng 0 Reputation points

2024-08-29T03:45:04.2+00:00

I do not have the screenshot of the Failed state anymore, as I have recreated a new Azure Firewall and attached route table to it.

However, I felt that the reason it got into Failed state is because I had ExpressRoute running in my GatewaySubnet. I am suspecting that the reason of the failure is because the traffic to/from Internet for the firewall is being routed through the virtual network gateway and got lost from there. So, by having the route table pointing 0.0.0.0/0 to the Internet, it allows the firewall to communicate with other services.

Does this make sense?

1 answer

Rohith Vinnakota 680 Reputation points Microsoft Vendor

2024-08-29T04:43:29.6633333+00:00
Hi Yen Sheng,

Thank you for posting your query on Microsoft Q&A.

Yes, that's right. Azure Firewall does not require a route table by default. However, in your hub/spoke network setup, the failure to provision the Azure Firewall is likely due to conflicts caused by the ExpressRoute gateway.

Your approach of setting up a route table to direct all outbound traffic to the internet is a correct solution.

Azure Firewall, it automatically creates a default route (0.0.0.0/0) to the Internet

If you have any further queries, do let us know.

Thank you,

Vinnakota Rohith

If the answer is helpful, please click "Accept Answer" and "Upvote it."
Please sign in to rate this answer.
Yen Sheng 0 Reputation points

2024-08-29T07:56:24.0933333+00:00

Once we created this route table for Azure Firewall, how do we make sure the traffic are properly routed through?

For example, I have configured a route to direct all my east-west connectivity to the firewall private IP. Now that I have setup a routing table for AzureFirewallSubnet, how do I make sure all the traffic will get routed to my VNet properly? How to cross check whether this is working properly?

Rohith Vinnakota 680 Reputation points Microsoft Vendor

2024-08-30T02:38:45.12+00:00

Hi Yen Sheng,
Thank you for getting back.

Enable diagnostic logging on Azure Firewall to track traffic. Use these logs to confirm that traffic is being processed by the firewall.

Use tracert or traceroute run these commands from your VM to see the path traffic takes. Ensure that traffic is routed through the Azure Firewall.

Thank you,

Vinnakota Rohith

Rohith Vinnakota 680 Reputation points Microsoft Vendor

2024-09-09T01:39:39.55+00:00

Hi Yen Sheng,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Deployment of Firewall ends with Provisioning state 'Failed'

1 answer

Your answer