question

rab-5283 avatar image
0 Votes"
rab-5283 asked SebSeb-1554 answered

Route table on VPN gateway subnet issue

Hello,

We have set up a VPN between Azure and onpremises with BGP enabled, it works fine. One of the requirements is that all the traffic (ftom and to onpremises) should be filtered by an Azure Firewall, so we set up the Azure Firewall and added a UDR on the gatewaysubnet to route the traffic coming from onpremises to the Azure firewall.
(The routing rule placed on the gateway subnet is as follows :
- Address prefix = the address range allocated to Azure
- Next hop type = Virtual appliance
- Next hop IP address = the private ip address of the Azure Firewall
The routing rules placed on the AzureFirewallSubnet is as follows :
- Rule 1
- 0.0.0.0/0 -> internet
- Rule 2
- the address range allocated to Azure -> Virtual Network
- Rule 3
- the onpremises address ranges -> Virtual Network Gateway
The routing rule placed on a subnet in the same vnet as the vpn gateway and the azure firewall (the subnet contains a VM for testing purposes)
- 0.0.0.0/0 -> the private ip address of the Azure Firewall

When we try to ping the VM from onpremises with no UDR, it works just fine.
When we position these custom route tables, it does not work anymore (we tested with BGP propagation enabled on the route table positionned on the gatewaysubnet as well). Nothing shows on the Azure Firewall logs (the flows are allowed on the azure firewall)

Are we missing something ? Your help would be really great
Thank you



azure-vpn-gateway
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SaiKishor-MSFT avatar image
0 Votes"
SaiKishor-MSFT answered SaiKishor-MSFT edited

@rab-5283 Thank you for reaching out to Microsoft Q&A.

I understand that you have questions regarding your S2S VPN routing. Upon looking at your setup, you need the following routes:

  • You do not need to add UDR to the Firewall subnet as it learns the routes via BGP

  • To route the subnet traffic through the firewall, you need a User Defined route (UDR) that points to the firewall on the subnets route table.

  • The gateway subnet should have a system route to route traffic to the vnet by default so you wont need to add anything here as well.

As you mentioned, without the UDR route, everything works well, right? Is there any reason that you want to add this UDR?

Thank you!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

rab-5283 avatar image
1 Vote"
rab-5283 answered SaiKishor-MSFT commented

Hello,

Thank you for response. I'll remove the UDR from the Azure Firewall Subnet.

Actually, the traffic coming from on-premises must go through the Azure Firewall for filtering and that's why we need the UDR on the VPN Gateway subnet otherwise the trafic will reach the destination and bypass the Azure Firewall.

Thank you for your precious help !

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@rab-5283 Did this resolve your issue? Please let us know if you have any further questions/concerns and we will be glad to assist further. Thank you!

0 Votes 0 ·
rab-5283 avatar image
0 Votes"
rab-5283 answered

Hello,

The issue is still present when we add the route table on the VPN gateway subnet and we need the route table to ensure that the trafic goes through the Azure Firewall.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MortenPedholt avatar image
0 Votes"
MortenPedholt answered MortenPedholt commented

@rab-5283 i also haveing this issue, please share if you find a solution.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

You have to add an indivudual rule for each Vnet in the VPN gateway subnet route table (I've been using the whole address range dedicated to Azure 10.0.0.0/18). It works well now.
Hope it helps !

1 Vote 1 ·

Thank you for your responce.

Can you be more specific?
Maybe you can share your Route table config?

In my scenario i have a virtual appliance on one address space in a VNET. and VM's on its own VNET and address space. with peering to the virtual appliance VNET.

0 Votes 0 ·

i have attached our route table.
Does your looks similar?

in the address prefix i have pasted in the Address space address of each VNET in the environment, have you done that also or do you type in subnets?103640-2021-06-09-10-34-44.png


0 Votes 0 ·
rab-5283 avatar image
0 Votes"
rab-5283 answered MortenPedholt commented

Hello,

Yes, I've done the same as you (vpn route table). I've also added a specific route to the vnet containing the Azure Firewall (virtual appliance in your case) on the spoke vnets to force the traffic to the Azure firewall and I disabled the bgp propagation on all the route tables except the VPN gateway one.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

I have added the Propagation on the VPN Gateway and now it works properly.

Thanks :)

0 Votes 0 ·
SebSeb-1554 avatar image
0 Votes"
SebSeb-1554 answered

Hello !

I'm facing the exactly same issue but not working for me.

I have the following topology :
- 1 hub vnet (10.1.0.0/16)with 2 subnets (GatewaySubnet (10.1.1.0/27)/ AzureFirewallSubnet(10.1.2.0/24)) with one vpn gateway deployed and an AzureFirewall
- 1 spoke vnet (10.3.0.0/16)with one subnet 10.3.1.0/24 (one ubuntu vm connected to that subnet)
- AzureFirewall private ip address : 10.1.2.2/32
- P2S pool : 172.10.0.0/24

  • 1 UDR associated to the GatewaySubnet with the following routes

--> 10.3.0.0/16 next hop 10.1.2.2 (AzureFirewall)
--> 172.10.0.0/24 next hop 10.1.2.2 (AzureFirewall)

  • 1 UDR associated to the spoke vnet with the following route:

--> 0.0.0.0/0 next hop 10.1.2.2 (AzureFirewall)

I set on the firewall an network roule with Any to Any allow (for debug purposes).

When connected by using P2S, i'm not able to connect to the vm inside the spoke vnet using ssh and nothing shown in firewall logs.
When disassociating the UDR on the GatewaySubnet, i'm able to ssh the vm.

I'm not able to understand why nothing related to ssh is visible on the firewall logs.

ANy help appreciated


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.