Share via

Cant connect after adding default route

-M 0 Reputation points
2024-01-03T18:05:29.2833333+00:00

Having trouble with something I thought would be simple... Need to block internet traffic on specific Azure VM's to all but a select few sites.

We have (2) groups of Azure VM's...
With_Internet, basically unfiltered outbound traffic
NO_Internet, blocking all web traffic (HTTP/HTTPS) to all but a select few sites... and my understanding on how to accomplish this is using the Azure firewall and application rules based on FQDN.

We have created (4) Vnet's...
10.0.0.0/27 Default With_Internet (contains Azure VM)
10.0.0.32/27 Default NO_Internet (contains Azure VM)
10.0.1.0/26 Azure Bastion AzureBastionSubnet
10.0.2.0/26 Azure Firewall AzureFirewallSubnet

 

We have a single NSG with default rules associated with both Azure VM /27 subnets

 

We have a single Azure firewall in the same region with a public IP and private IP contained within the AzureFirewallSubnet

 

We have a single Azure firewall Policy in the same region with multiple rule collections.

 

At this point connectivity works, via web interface and Bastion access to VM's in both /27 subnets, 

 

When I create a default route and associate that route with a VM subnet I lose all connectivity to the VM's on that subnet.

The default route has propagate route enabled and is configured as...
Destination IP addresses: 0.0.0.0/0
Next hop type: VirtualAppliance
Next hop address: 10.0.2.4 (Azure firewall private IP)

 

Our connectivity is strictly from login via https://windows365.microsoft.com/ent#/devices, and use the web interface to connect to the VM or Bastion.

When we associate the default route, we lose both web and Bastion connectivity...

Any pointers/guidance/suggestions...

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
580 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,195 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Silvia Wibowo 3,166 Reputation points Microsoft Employee
    2024-01-03T23:17:09.35+00:00

    Hi @-M , I understand that you want to restrict internet access from some of your VMs using Firewall FQDN rules.

    The default route forwards traffic to/from internet to Azure Firewall. This has an implication that VMs in the subnet with the default route will not have a direct access to internet. You need to configure Firewall rules to enable inbound/outbound traffic of the VMs. You may have outbound traffic configured with your Firewall FQDN rules, but without any inbound traffic, you can't reach your VM.

    If you want to RDP directly to your VMs after default route is applied in the VMs' subnet, create a DNAT rule in your Firewall, translating your Firewall's public IP address with certain port (eg. port 6001) to your VM's private IP address port 3389 (RDP) - you may want to put restriction that only your laptop's IP address is allowed (Source IP address in your Firewall rule = your laptop's public IP address). Then your laptop can connect using RDP client to Firewall's IP address on port 6001. You can create additional DNAT rules for other VMs, for example port 6002 for second VM, and so on.

    Your Bastion is on a different subnet from your VMs, so after you apply default route to your VM's subnet, you can still connect to your VMs via Bastion, as long as you don't apply default route to your Bastion subnet. Bastion will connect to your VMs using private IP address.

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

  2. Silvia Wibowo 3,166 Reputation points Microsoft Employee
    2024-01-08T00:10:46.5+00:00

    Hi @M.Black, let's clarify one thing first: can your Bastion reach your VMs with default route (route propagation enabled)?

    Next clarification, are we talking about AVD (Azure Virtual Desktop) session host? If yes, your session hosts and users need to be able to connect to the Azure Virtual Desktop service. These connections also use TCP on port 443 to a specific list of URLs. For more information, see Required URL list. You must make sure these URLs aren't blocked by network filtering or a firewall in order for your deployment to work properly and be supported. If your users need to access Microsoft 365, make sure your session hosts can connect to Microsoft 365 endpoints.

    0 comments
  3. -M 0 Reputation points
    2024-01-08T13:56:22.0533333+00:00

    So apparently the issue was related to the Virtual Network not being associated with the firewall policy as a security provider... go figure.

    Anyone know how to script this?