This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 28.000000000000004%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGS%3C/text%3E%3C/svg%3E)
We want to route on-premises traffic to the internet through Azure Firewall.
For that, we have deployed an ExpressRoute connection between on-premises and Azure.
Now we are trying to route the traffic from the GatewaySubnet to the firewall by defining a route with 0.0.0.0/0 as the destination and the firewall as the next hop, but it shows the error: "Cannot associate the default route 0.0.0.0/0 to GatewaySubnet."
How can I establish a route from GatewaySubnet to Azure Firewall for both inbound and outbound connections?
An Azure network security service that is used to protect Azure Virtual Network resources.
Thank you, Thanmayi, for your comments.
I have already applied default route to the spoke subnet. The traffic from the on-premises reaching upto express route circuit only. How should I route that traffic from circuit to firewall now so that it can go out to the internet.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 22%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETG%3C/text%3E%3C/svg%3E)
Hi @GAWAI, SRIKANT,
Thank you for reaching out on Microsoft Q&A forum.
I understand your issue regarding routing on-premises traffic to the Internet through Azure Firewall over ExpressRoute.
You attempt to create a user-defined route (UDR) on the GatewaySubnet with a destination of 0.0.0.0/0 pointing to Azure Firewall failed with "Cannot associate the default route 0.0.0.0/0 to GatewaySubnet." error and this behavior is expected due to Azure’s restrictions on GatewaySubnet configuration.
From the official documentation (Azure VPN Gateway Settings):
So, applying a default route (0.0.0.0/0) to the GatewaySubnet would prevent the gateway from communicating with its management infrastructure.Any route overlapping the GatewaySubnet or gateway IP ranges is blocked.This restriction ensures proper operation of the gateway, BGP, and diagnostic functions.
To route on-premises traffic to the Internet via Azure Firewall:
1.Keep GatewaySubnet untouched
2.Use Hub-Spoke topology with UDRs
AzureFirewallSubnet) in the Hub VNet.3.Enable BGP route propagation on the GatewaySubnet
4.Azure Firewall handles outbound NAT
Refer- Forced tunneling with Azure Firewall
Kindly let us know if the above helps or you need further assistance on this issue.
If the answer is helpful, please 'Accept the answer' and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Thanks for your input. Below are my comments on your inputs,
2.Use Hub-Spoke topology with UDRs
AzureFirewallSubnet) in the Hub VNet.
3.Enable BGP route propagation on the GatewaySubnet
Hi @GAWAI, SRIKANT,
Even if both the ExpressRoute gateway and Azure Firewall are deployed in the same hub VNet, Azure does not support routing traffic from the GatewaySubnet to any NVA or firewall, including Azure Firewall.
Reason (by design)
GatewaySubnet is reserved for gateway control‑plane and data‑plane operations.0.0.0.0/0) would break gateway connectivity, BGP, and management traffic.GatewaySubnet.Forced tunneling with Azure Firewall in an ExpressRoute scenario does NOT rely on UDRs on the GatewaySubnet or workload subnets.
Instead, it works as follows:
This behavior is BGP‑based and does not involve subnet‑level routing on the GatewaySubnet.
Reference: https://learn.microsoft.com/en-in/azure/firewall/forced-tunneling
Supported traffic flow :
On‑prem → ExpressRoute Gateway → Azure Firewall → Internet
On BGP route propagation
GatewaySubnet cannot have a route table, there is no route‑propagation option available for it.You can’t route traffic from the GatewaySubnet using UDRs—this is blocked by design. For ExpressRoute, Azure Firewall Internet breakout works via BGP advertising 0.0.0.0/0 to on‑premises, not by applying routes on the GatewaySubnet.
Kindly let us know if the above helps or you need further assistance on this issue.
If the answer is helpful, kindly upvote it. If you have extra questions about this answer, please click "Comment".
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 30%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
Thank you, Thanmayi, for your comments.
Instead of creating a spoke VNet and subnet and applying a default UDR to the spoke subnet, can we apply the default UDR to the default subnet in the hub VNet to route traffic to the Azure Firewall? Will that work?
Here are the steps:
We have a hub VNet with three subnets: Default, GatewaySubnet, and AzureFirewallSubnet.
Traffic coming from on-premises will ultimately reach the GatewaySubnet in the hub VNet.
Apply a default route (0.0.0.0/0) to the default subnet, with the next hop set to the firewall.
From the firewall, traffic flows to the internet.
Please suggest if this approach will work or if any corrections are needed.
Hi @SRIKANT GAWAI,
Thank you for the clarification.
No, applying a default UDR (0.0.0.0/0) to the Default subnet in the hub VNet will not work for routing on-premises traffic through Azure Firewall. User-defined routes only apply to traffic originating from resources within the associated subnet. Traffic coming from on-premises over ExpressRoute enters Azure via the GatewaySubnet and is not affected by UDRs applied to other hub subnets.
Since Azure does not support associating a default route with the GatewaySubnet, this approach cannot be used to achieve forced tunneling. To route on-premises Internet-bound traffic through Azure Firewall, default routes must be applied to workload subnets (typically in spoke VNets), while keeping the GatewaySubnet unchanged.
Thank you, Thanmayi, for your comments.
I have already applied default route to the spoke subnet. The traffic from the on-premises reaching upto express route circuit only. How should I route that traffic from circuit to firewall now so that it can go out to the internet.
Hi @GAWAI, SRIKANT,
For on‑prem → Azure inspection, the GatewaySubnet cannot accept a 0.0.0.0/0 UDR, but it does support UDRs for specific address prefixes. So you add a UDR on the GatewaySubnet using your VNet address range (for example 10.0.0.0/16) as the prefix, with next hop = Azure Firewall private IP. This ensures that all on‑prem traffic entering Azure via ExpressRoute is forwarded to Azure Firewall for scanning. With this setup, Azure outbound traffic uses the firewall, and on‑premises traffic reaching the ExpressRoute circuit is correctly routed to the firewall before going to the Internet.
Refer: https://learn.microsoft.com/en-us/answers/questions/860533/express-route-and-azure-firewall