I imagine this is a common problem, but my quick Google-fu has failed me. We're implementing third party NVA firewalls in Azure in the standard active-active load balancer sandwich, and want to make sure that all traffic from certain subnets has to go through them.
The standard way of doing this is to override the default Azure subnet routing tables with routes pointing at the NVA load balancers. So far so good, everything works as expected. But as the number of networks grows, and Azure keeps tossing automatic routes into its routing tables because it likes to be helpful, it's a management nightmare to make sure all routing table routes are always overridden with user-defined routes. How are people managing this and are there any clever auditing tools or tricks to prevent Azure or an admin from just tossing in a route that completely bypasses the firewalls?
No comments:
Post a Comment