Filter P2S traffic through Azure Firewall to spokes

Cloudy 186 Reputation points
2022-05-02T06:20:30.5+00:00

Hello !

I'm trying to force all the P2S traffic through azureFirewall to be able to reach spokes vnets.

I have the following topology :

  • 1 hub vnet (10.1.0.0/16)with 2 subnets (GatewaySubnet (10.1.1.0/27)/ AzureFirewallSubnet(10.1.2.0/24)) with one vpn gateway deployed and an AzureFirewall
  • 1 spoke vnet (10.3.0.0/16)with one subnet 10.3.1.0/24 (one ubuntu vm connected to that subnet)
  • AzureFirewall private ip address : 10.1.2.2/32
  • P2S pool : 172.10.0.0/24
  • 1 UDR associated to the GatewaySubnet with the following routes

--> 10.3.0.0/16 next hop 10.1.2.2 (AzureFirewall)
--> 172.10.0.0/24 next hop 10.1.2.2 (AzureFirewall)

  • 1 UDR associated to the spoke vnet with the following route:

--> 0.0.0.0/0 next hop 10.1.2.2 (AzureFirewall)

I set on the firewall an network roule with Any to Any allow (for debug purposes).

When connected by using P2S, i'm not able to connect to the vm inside the spoke vnet using ssh and nothing shown in firewall logs.
When disassociating the UDR on the GatewaySubnet, i'm able to ssh the vm.

I'm not able to understand why nothing related to ssh is visible on the firewall logs.
The behavior is exactly the same by using a virtual wan (and for cost purposes, vWan is not possible in my case).

ANy help appreciated

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,389 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
570 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Cloudy 186 Reputation points
    2022-05-04T13:17:12.29+00:00

    Dear @GitaraniSharma-MSFT ,

    I finally make it working by playing with the UDR :)

    Thanks for your help!