Route table on VPN gateway subnet issue

Question

Hello,

We have set up a VPN between Azure and onpremises with BGP enabled, it works fine. One of the requirements is that all the traffic (ftom and to onpremises) should be filtered by an Azure Firewall, so we set up the Azure Firewall and added a UDR on the gatewaysubnet to route the traffic coming from onpremises to the Azure firewall.
(The routing rule placed on the gateway subnet is as follows :

• Address prefix = the address range allocated to Azure
• Next hop type = Virtual appliance
• Next hop IP address = the private ip address of the Azure Firewall
  The routing rules placed on the AzureFirewallSubnet is as follows :
• Rule 1
• 0.0.0.0/0 -> internet
• Rule 2
• the address range allocated to Azure -> Virtual Network
• Rule 3
• the onpremises address ranges -> Virtual Network Gateway
  The routing rule placed on a subnet in the same vnet as the vpn gateway and the azure firewall (the subnet contains a VM for testing purposes)
• 0.0.0.0/0 -> the private ip address of the Azure Firewall

When we try to ping the VM from onpremises with no UDR, it works just fine.
When we position these custom route tables, it does not work anymore (we tested with BGP propagation enabled on the route table positionned on the gatewaysubnet as well). Nothing shows on the Azure Firewall logs (the flows are allowed on the azure firewall)

Are we missing something ? Your help would be really great
Thank you

Answer 1

Hello !

I'm facing the exactly same issue but not working for me.

I have the following topology :

• 1 hub vnet (10.1.0.0/16)with 2 subnets (GatewaySubnet (10.1.1.0/27)/ AzureFirewallSubnet(10.1.2.0/24)) with one vpn gateway deployed and an AzureFirewall
• 1 spoke vnet (10.3.0.0/16)with one subnet 10.3.1.0/24 (one ubuntu vm connected to that subnet)
• AzureFirewall private ip address : 10.1.2.2/32
• P2S pool : 172.10.0.0/24
• 1 UDR associated to the GatewaySubnet with the following routes

--> 10.3.0.0/16 next hop 10.1.2.2 (AzureFirewall)
--> 172.10.0.0/24 next hop 10.1.2.2 (AzureFirewall)

• 1 UDR associated to the spoke vnet with the following route:

--> 0.0.0.0/0 next hop 10.1.2.2 (AzureFirewall)

I set on the firewall an network roule with Any to Any allow (for debug purposes).

When connected by using P2S, i'm not able to connect to the vm inside the spoke vnet using ssh and nothing shown in firewall logs.
When disassociating the UDR on the GatewaySubnet, i'm able to ssh the vm.

I'm not able to understand why nothing related to ssh is visible on the firewall logs.

ANy help appreciated

Answer 2

Hello,

Yes, I've done the same as you (vpn route table). I've also added a specific route to the vnet containing the Azure Firewall (virtual appliance in your case) on the spoke vnets to force the traffic to the Azure firewall and I disabled the bgp propagation on all the route tables except the VPN gateway one.

Answer 3

@Anonymous i also haveing this issue, please share if you find a solution.

Answer 4

Hello,

The issue is still present when we add the route table on the VPN gateway subnet and we need the route table to ensure that the trafic goes through the Azure Firewall.

Answer 5

Hello,

Thank you for response. I'll remove the UDR from the Azure Firewall Subnet.

Actually, the traffic coming from on-premises must go through the Azure Firewall for filtering and that's why we need the UDR on the VPN Gateway subnet otherwise the trafic will reach the destination and bypass the Azure Firewall.

Thank you for your precious help !