Design service chaining, including gateway transit

1.3 Design and Implement VNet Connectivity and Routing

📘Microsoft Azure Networking Solutions (AZ-700)

1. What Is Service Chaining?

Service chaining means forcing network traffic to pass through one or more network services before it reaches its final destination.

These services are usually:

  • Azure Firewall
  • Network Virtual Appliances (NVAs)
  • Load balancers
  • Security or inspection devices

In Azure, service chaining is used to:

  • Inspect traffic
  • Apply security rules
  • Control routing paths
  • Enforce centralized security policies

Instead of traffic going directly from one subnet or VNet to another, you intentionally route it through a security or control device.

2. Why Service Chaining Is Needed in Azure

Azure VNets route traffic automatically using system routes. By default:

  • Traffic inside a VNet flows directly
  • Traffic between peered VNets flows directly

This is fast, but it may bypass security controls.

Service chaining is required when:

  • You want all traffic inspected by a firewall
  • You want centralized security for multiple VNets
  • You want traffic logging and monitoring
  • You want consistent security rules across environments

3. Key Azure Components Used in Service Chaining

a. Network Virtual Appliance (NVA)

An NVA is a virtual machine that performs network functions such as:

  • Firewalling
  • Packet inspection
  • Routing
  • VPN services

Examples:

  • Azure Firewall
  • Third-party firewalls (FortiGate, Palo Alto, Check Point)

NVAs are usually placed in a hub VNet.

b. User-Defined Routes (UDRs)

User-defined routes (UDRs) are critical for service chaining.

They allow you to:

  • Override Azure’s default routing
  • Force traffic to go to a specific next hop

Common next-hop types:

  • Virtual appliance (NVA IP address)
  • Virtual network gateway
  • Internet
  • VNet peering

Without UDRs, service chaining is not possible.

4. Hub-and-Spoke Architecture (Very Important for Exam)

Service chaining is commonly implemented using a hub-and-spoke VNet design.

Hub VNet

Contains shared services such as:

  • Azure Firewall or NVA
  • VPN Gateway
  • ExpressRoute Gateway
  • DNS services

Spoke VNets

Contain:

  • Application workloads
  • Databases
  • Virtual machines

Spoke VNets do not have direct internet or gateway access. They rely on the hub.

5. How Service Chaining Works (Step-by-Step)

  1. A workload in a spoke subnet sends traffic
  2. A UDR forces the traffic to the NVA or firewall in the hub
  3. The firewall inspects and allows or blocks traffic
  4. Approved traffic is forwarded to:
    • Another spoke
    • On-premises network
    • Internet

This ensures all traffic follows the same controlled path.

6. What Is Gateway Transit?

Gateway transit allows multiple VNets to share a single VPN or ExpressRoute gateway.

Instead of deploying a gateway in every VNet:

  • One gateway is deployed in the hub VNet
  • Spoke VNets use that gateway

This reduces:

  • Cost
  • Complexity
  • Management overhead

7. Types of Gateways Used with Gateway Transit

Gateway transit supports:

  • VPN Gateway (site-to-site or point-to-site)
  • ExpressRoute Gateway

It does not support:

  • NAT Gateway
  • Application Gateway

8. Requirements for Gateway Transit (Exam Focus)

To enable gateway transit, the following conditions must be met:

In the Hub VNet:

  • A virtual network gateway must exist
  • VNet peering must be configured
  • Allow gateway transit must be enabled

In the Spoke VNet:

  • VNet peering must be configured
  • Use remote gateways must be enabled

Only one gateway can be used per spoke VNet.

9. Gateway Transit Traffic Flow

When gateway transit is enabled:

  • Spoke VNets can reach:
    • On-premises networks
    • Other connected networks

Traffic flow:

  1. Spoke → Hub gateway
  2. Hub gateway → On-premises or Azure

This works for:

  • Inbound traffic
  • Outbound traffic

10. Combining Service Chaining and Gateway Transit

In real Azure designs, both concepts are used together.

Typical design:

  • Hub VNet contains:
    • Firewall (NVA)
    • VPN/ExpressRoute Gateway
  • Spoke VNets contain workloads
  • UDRs force traffic from spokes to firewall
  • Firewall forwards traffic to the gateway

This ensures:

  • Centralized security
  • Controlled routing
  • Shared connectivity

11. Important Exam Points to Remember

  • Service chaining uses UDRs
  • NVAs are commonly placed in a hub VNet
  • Hub-and-spoke is the preferred design
  • Gateway transit allows sharing a gateway
  • Enable:
    • “Allow gateway transit” on hub
    • “Use remote gateways” on spoke
  • Only one remote gateway can be used per VNet
  • Gateway transit works only with VPN and ExpressRoute gateways

12. Common Mistakes (Exam Traps)

  • Forgetting to configure UDRs
  • Expecting traffic to be inspected without service chaining
  • Trying to use multiple gateways with one spoke
  • Assuming gateway transit works without VNet peering
  • Confusing gateway transit with VNet peering itself

13. Summary

  • Service chaining controls traffic paths through security devices
  • UDRs are the core mechanism
  • Gateway transit allows shared gateway usage
  • Hub-and-spoke architecture is the recommended design
  • These concepts are critical for secure, scalable Azure networking and are heavily tested in AZ-700

This completes everything you need to understand Design service chaining, including gateway transit, for the AZ-700 exam.

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by