question

DavidEaton-9998 avatar image
0 Votes"
DavidEaton-9998 asked SaiKishor-MSFT commented

Struggling to understand if I can route traffic from one subnet to another and out through a public IP that's on an Nginx Proxy/Router

Hello,

I've been using Azure for a while, but it's mostly App Services and VMs where the default created Networks have been fine for what I've been doing. I've now created a little problem where my lack of Azure Network knowledge has me stumped. I'm still trying to learn as much as I can about it and trying to solve this issue myself, but I've got a time constraint and so I'm reaching out for help.

I have a Linux VM as a Router/Nginx reverse proxy. It has a public IP address (let's say 20.31.101.82) ​on a network interface on a 10.0.0.0/24 subnet. It has a private IP of 10.0.0.4.
This VM has another network interface on a 10.0.10.0/24 subnet with a private IP of 10.0.10.10.
The VM has port forwarding setup in the OS and configured in Azure.

On the 10.0.10.0/24 subnet I have a webserver. Simple Apache site.
What works is: I can SSH to 20.31.101.82 on port 6100 and the VM router gets me to the webserver and it's all good.
I can point DNS records to 20.31.101.82 and the Nginx proxy will send them to the correct server (I have 2 at the moment, but there will be more).
I want to do this so I can have Let's Encrypt manage all of my SSL certificates on the Nginx proxy.

What I can't work out how to do, is get the traffic from the servers on the 10.0.10.0/24 subnet, out through the public IP 20.31.101.82. What I mean by that is, if I'm on the Apache webserver and use the dig command to work out my public IP, I get one that I assume is attached to the private subnet and not 20.31.101.82.
In an environment where I control all of the network, I'd set the default gateway on the Apache server to be 10.0.0.4 (the IP of the Nginx proxy router).

I've tried to do this with routes. There are no firewall rules on the servers on the 10.0.10.0/24 subnet. I'm not getting anywhere.

Have I approached this all wrong? Should I be using a different Azure service?

Thanks for any help,

David

azure-virtual-networkazure-virtual-machines-networking
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@DavidEaton-9998 Thank you for reaching out to Microsoft Q&A. QQ regd your setup, have you tried to do tcpdump on the 10.0.0.4 interface and do you see traffic from Apache reaching it and trying to go out through it? Can you please test and let me know? Thank you!

tcpdump command: sudo tcpdump -i <interface name> Host <Source IP>

Please use this command and use the IP 10.0.10.10 as the source IP to check if this traffic reaches the 10.0.0.4 interface. Thank you!

0 Votes 0 ·

Hello,
I'm using Almalinux and used the command like this: tcpdump -i eth1 as it didn't like the argument Host.

If I do a dig command on the web server, I see the output that I'll put in the next reply, as it's more characters that I can fit in here.

Does that help at all? TO me I can only see SSH traffic and the ARP text which I don't understand.
My end goal is to get the webserver to have the same public IP as the Nginx router.

This the route table from my web server:

Destination Gateway Genmask Flags Metric Ref Use Iface
default _gateway 0.0.0.0 UG 100 0 0 eth0
10.0.10.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
168.63.129.16 _gateway 255.255.255.255 UGH 100 0 0 eth0
169.254.169.254 _gateway 255.255.255.255 UGH 100 0 0 eth0

0 Votes 0 ·

15:46:10.269405 IP myrouter.myweb.com.32261 > mywebserver.internal.cloudapp.net.ssh: Flags [P.], seq 128:192, ack 385, win 1023, length 64
15:46:10.270316 IP mywebserver.internal.cloudapp.net.ssh > myrouter.myweb.com.32261: Flags [P.], seq 385:497, ack 192, win 288, length 112
15:46:10.360858 IP myrouter.myweb.com.32261 > mywebserver.internal.cloudapp.net.ssh: Flags [.], ack 497, win 1022, length 0
15:46:10.901838 IP myrouter.myweb.com.32261 > mywebserver.internal.cloudapp.net.ssh: Flags [P.], seq 192:256, ack 497, win 1022, length 64
15:46:10.903178 IP mywebserver.internal.cloudapp.net.ssh > myrouter.myweb.com.32261: Flags [P.], seq 497:561, ack 256, win 288, length 64
15:46:10.921553 IP mywebserver.internal.cloudapp.net.ssh > myrouter.myweb.com.32261: Flags [P.], seq 561:641, ack 256, win 288, length 80
15:46:10.923280 IP mywebserver.internal.cloudapp.net.ssh > myrouter.myweb.com.32261: Flags [P.], seq 641:769, ack 256, win 288, length 128
15:46:10.961888 IP myrouter.myweb.com.32261 > mywebserver.internal.cloudapp.net.ssh: Flags [.], ack 641, win 1022, length 0
15:46:11.032364 IP myrouter.myweb.com.32261 > mywebserver.internal.cloudapp.net.ssh: Flags [.], ack 769, win 1021, length 0
15:46:15.296498 ARP, Request who-has mywebserver.internal.cloudapp.net tell myrouter.myweb.com, length 28
15:46:15.296998 ARP, Reply mywebserver.internal.cloudapp.net is-at 12:34:56:78:9a:bc (oui Unknown), length 28

0 Votes 0 ·

1 Answer

DavidEaton-9998 avatar image
0 Votes"
DavidEaton-9998 answered SaiKishor-MSFT commented

Hello,
Thanks for trying to help me, but I've managed to get it to do what I wanted it to.
I added a route for 0.0.0.0/0 to be an appliance at 10.0.10.10 and I get the public IP on my VM.

I did mess about with routes before, but didn't put everything.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@DavidEaton-9998 Glad your issue is resolved. Please let us know if you need any further assistance. Thank you!

0 Votes 0 ·