question

SholaLawani-0401 avatar image
0 Votes"
SholaLawani-0401 asked learn2skills commented

Azure FW with VM NIC shows no internet access

Hello Experts,

So I have a small lab environment with a hub (Azure FW) and two Spokes (with VMs). I'm redirecting all traffic 0.0.0.0/0 via the firewall using UDRs.

However, I have noticed that the VMs NIC (in the spokes vnet) in this set up indicates "No internet access", however, if I create an application rule to allow microsoft.com for instance I can still browse the site. My question, what is preventing the VM NIC from showing internet access, is there a rule in Azure FW that I haven't created

azure-virtual-networkazure-firewall
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

anonymous user

Just checking in to see if the below answers helped. If this answers your query, do click “Accept Answer” and Up-Vote for the same. And, if you have any further query do let us know.


Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Want a reminder to come back and check responses? Here is how to subscribe to a notification.


0 Votes 0 ·

Let us know if anything required.

Please don’t forget to "Accept the answer" and up-vote wherever the information provided helps you, this can be beneficial to other community members.

0 Votes 0 ·

To follow-up, Please let us know if you have further query on this.
Please don’t forget to Accept the answer

0 Votes 0 ·
learn2skills avatar image
1 Vote"
learn2skills answered

yes, you should allow azure FW rules that should allow internet access.

https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndreasBaumgarten avatar image
0 Votes"
AndreasBaumgarten answered AndreasBaumgarten edited

If I remember right the Windows Network Connectivity Status Indicator (NCSI) is running multiple tests to check if the client is connected to the internet.

  1. The following URL is used for the first test: https://www.msftconnecttest.com

  2. If the URL is reachable from the client a HTTP Get-Request for https://www.msftconnecttest.com/connecttest.txt is sent.

  3. If this is successfully, NCSI will try to resolve the DNS name dns.msftncsi.com.

  4. If the response is "131.107.255.255" the test is successful and the indicator in the Task Bar will show "Internet access".

So you should add https://www.msftconnecttest.com to your white-list in the Firewall.


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.