Send all traffic to the internet through the Check Point firewall except Entra Domain services

HASSAN BIN NASIR DAR 326 Reputation points
2024-11-28T15:41:15.2866667+00:00

Hi

I have a Check Point firewall in Azure, and I want to send all traffic to the internet through the Check Point firewall except Entra Domain services. I have deployed a user-defined route and added two routes.

The first route is configured as follows:

Address Prefix: 0.0.0.0/0

Next Hop: Virtual Appliance

Next Hop Address: Private Ip address of firewall

The second route is configured as:

Address Prefix: Specific address range (using Entra Domain Services)

Next Hop: Virtual Network

Next Hop Address: Blank

Everything is working fine, but I am getting the following error:

A user defined route table has detected that includes a 0.0.0.0/0 route where the next hop is not configured for Internet.

Please I need a solution as soon as possible.

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
703 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,576 questions
Azure Route Server
Azure Route Server
An Azure service that enables network appliances to exchange route information with Azure virtual networks dynamically.
11 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Rohith Vinnakota 1,515 Reputation points Microsoft Vendor
    2024-12-09T16:42:24.3366667+00:00

    Hi HASSAN BIN NASIR DAR,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that two routes are working fine, but you're experiencing the error.

    A user defined route table has detected that includes a 0.0.0.0/0 route where the next hop is not configured for Internet.

    This warning can be safely ignored.  
    

    Because by default, there is a route where 0.0.0.0/0 points to the internet. We created a new user-defined route where the destination 0.0.0.0/0 points to the next-hop firewall. This configuration overrides the default route that points to the internet. You can verify this in the NIC's effective routes, where you will see that the 0.0.0.0/0 route with the next hop as "internet" is marked as invalid. Additionally, the 0.0.0.0/0 route with the next hop as "firewall" is in a valid state.

    Machines in the subnet associated with the route table will use the firewall's private IP to access the internet. As stated earlier, the 0.0.0.0/0 route with the next hop as "internet" is invalid, which is causing the error.

    Please let me know the source of the error message you're receiving.

    Note: The Entra Domain Services subnet does not support a 0.0.0.0/0 UDR.

    User's image

    Refer this link:
    https://zcusa.951200.xyz/en-us/entra/identity/domain-services/network-considerations?source=recommendations#user-defined-routes

    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.User's image

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.