Thursday, September 10, 2020

Azure Firewall drops traffic to on-prem S2S VPN

We're currently setting up an Azure Firewall at a client site. Initial implementation was done by following the MS documentation: 

https://docs.microsoft.com/en-us/azure/firewall/deploy-ps

After deployment and after attaching a given subnet to the default route table (to force all outbound traffic to pass through the Azure Firewall), then there was no communication from the Azure subnet and to the local VPN gateway (S2S VPN to on-premises). Other subnets that weren't attached to the route table worked fine.

It seemed that new default route (see example below) might be overriding the existing default routes in Azure. And that the way forward would be to create additional routes to specify traffic to the VPN.

$routeTableDG = New-AzRouteTable `

-Name Firewall-rt-table ` -ResourceGroupName Test-FW-RG ` -location "East US" ` -DisableBgpRoutePropagation #Create a route Add-AzRouteConfig ` -Name "DG-Route" ` -RouteTable $routeTableDG ` -AddressPrefix 0.0.0.0/0 ` -NextHopType "VirtualAppliance" ` -NextHopIpAddress $AzfwPrivateIP ` | Set-AzRouteTable


It turns out that the standard routes were fine. Only the default route to the internet is overridden (which is expected), the other two remain in use:

These are the standard routes that Azure creates:

"Each virtual network subnet has a built-in, system routing table. The system routing table has the following three groups of routes:
Local VNet routes: Directly to the destination VMs in the same virtual network.
On-premises routes: To the Azure VPN gateway.
Default route: Directly to the Internet. Packets destined to the private IP addresses not covered by the previous two routes are dropped."

The problem was that the property setting: "Propagate gateway routes" was set to "No", see below. This means that the VPN gateway routes are not visible/propagated to the subnets. To turn it on you can either do it from the portal or configure it via Powershell.




To do this in Powershell, simply remove the line: -DisableBgpRoutePropagation from the New-AzRouteTable command so it looks like below :

-Name Firewall-rt-table ` -ResourceGroupName Test-FW-RG ` -location "East US" #-DisableBgpRoutePropagation

This will set the property to: "False" which in the portal corresponds to "Yes".  You can see the "false" setting under Route table -> Export template.

When done, the published routes from the virtual gateway become visible under Route tables -> "your route table" -> Effective routes, like below, and traffic will flow to the on-prem site via VPN as well.








Posted by at
Labels: , , ,

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)