cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cant connect after adding default route

_MBlack
Copper Contributor

‎Jan 03 2024 08:56 AM

‎Jan 03 2024 08:56 AM

Cant connect after adding default route

Having trouble with something I thought would be simple... Need to block web traffic on specific Azure VM's to all but a select few sites.


We have (2) groups of Azure VM's...
With_Internet, basically unfiltered outbound traffic
NO_Internet, blocking all web traffic (HTTP/HTTPS) to all but a select few sites... and my understanding on how to accomplish this is using the Azure firewall and application rules based on FQDN.

We have created (4) Vnet's...
10.0.0.0/27 Default With_Internet (contains Azure VM)
10.0.0.32/27 Default NO_Internet (contains Azure VM)
10.0.1.0/26 Azure Bastion AzureBastionSubnet
10.0.2.0/26 Azure Firewall AzureFirewallSubnet

 

We have a single NSG with default rules associated with both Azure VM /27 subnets

 

We have a single Azure firewall in the same region with a public IP and private IP contained within the AzureFirewallSubnet

 

We have a single Azure firewall Policy in the same region with multiple rule collections.

 

At this point connectivity works, via web interface and Bastion access to VM's in both /27 subnets, 

 

When I create a default route and associate that route with a VM subnet I lose all connectivity to the VM's on that subnet.


The default route has propagate route enabled and is configured as...
Destination IP addresses: 0.0.0.0/0
Next hop type: VirtualAppliance
Next hop address: 10.0.2.4 (Azure firewall private IP)

 

Our connectivity is strictly from login via https://windows365.microsoft.com/ent#/devices, and use the web interface to connect to the VM or Bastion.


When we associate the default route, we lose both web and Bastion connectivity...

Any pointers/guidance/suggestions...

670 Views
0 Likes
4 Replies
Reply
4 Replies
Kidd_Ip

‎Jan 04 2024 08:13 AM

‎Jan 04 2024 08:13 AM

Re: Cant connect after adding default route

Howe about NSG, any logs and hints from there?

0 Likes
Reply
_MBlack

‎Jan 04 2024 10:50 AM

‎Jan 04 2024 10:50 AM

Re: Cant connect after adding default route

Thanks for the response, so I enabled the NSG Flow Logs and ran some tests, which included connectivity tests from Network watcher... and while Network watcher says connections from port 22 fail and port 3389 are good.. (from bastion to vm)... bastion is still unable to connect... 

 

And I must be outta touch, as these logs in Json are DUMB... unable to decipher the majority of the values... 

 

rule : DefaultRule_AllowVnetInBound
flows [1]
0 {2}
mac : 6045BDC8146E
flowTuples [194]
0 : 1704392753,10.0.3.4,10.0.1.4,42852,9,T,I,A,B,,,,
1 : 1704392753,10.0.3.4,10.0.1.4,50004,22,T,I,A,B,,,,
2 : 1704392753,10.0.3.4,10.0.1.4,50001,22,T,I,A,B,,,,
 
 
rule : DefaultRule_AllowVnetInBound
flows [1]
0 {2}
mac : 6045BDC8146E
flowTuples [94]
0 : 1704392833,10.0.3.4,10.0.1.4,3389,3389,T,I,A,B,,,,
1 : 1704392834,10.0.3.4,10.0.1.4,3389,3389,T,I,A,E,3,206,0,0
2 : 1704392834,10.0.3.4,10.0.1.4,3389,3389,T,I,A,B,,,,
0 Likes
Reply
_MBlack

‎Jan 04 2024 04:39 PM - edited ‎Jan 04 2024 04:39 PM

‎Jan 04 2024 04:39 PM - edited ‎Jan 04 2024 04:39 PM

Re: Cant connect after adding default route

Here are the commands I am using to create the objects, all complete successfully... and again, adding the default route... lose connection, delete the route and connection restored.

I am sure, it's just me missing something.


 
####################################################################
###	Define Variables###
####################################################################

$rgname =  "rg-Dev04-vDI"
$rglocation = "West US 3"
$rgtag = @{Dev="AzureVM-Dev"}
$rgvnetname = "vNet-Dev04-vDI"

$bastionpipname = "Bastion-vNet-Dev04-vDI-IP"
$bastionname = "Bastion-vNet-Dev04-vDI"

$firewallpipname = "$firewallpipname"
$firewallname = "Firewall-Dev04-vDI"

$firewallpolicyname = "Firewall-Dev04-vDI-Policy"
$Routetablename = "Firewall-rt-table-Dev04-vDI"

$routeconfigname = "DG-Route-Dev04-vDI"
$nsgname = "NSG-Dev04-vDI"

####################################################################
###Create resource group###
New-AzResourceGroup -Name $rgname -Location "$rglocation" -Tag $rgtag
####################################################################
###Create virtual network###
$ServerSubnet1 = New-AzVirtualNetworkSubnetConfig -Name Internet -AddressPrefix 10.0.1.0/24
$ServerSubnet2 = New-AzVirtualNetworkSubnetConfig -Name No_Internet -AddressPrefix 10.0.2.0/24
$ServerSubnet3 = New-AzVirtualNetworkSubnetConfig -Name AzureBastionSubnet -AddressPrefix "10.0.3.0/26"
$ServerSubnet4 = New-AzVirtualNetworkSubnetConfig -Name AzureFirewallSubnet -AddressPrefix "10.0.4.0/26"
$deployVnet = New-AzVirtualNetwork -Name $rgvnetname -ResourceGroupName $rgname -Location "$rglocation" -AddressPrefix 10.0.0.0/16 -Subnet $ServerSubnet1,$ServerSubnet2,$ServerSubnet3,$ServerSubnet4 -Tag $rgtag
####################################################################
###Create bastion and Public IP address###
###Create Public IP###
$Bastionip = New-AzPublicIpAddress -ResourceGroupName "$rgname" `
	-name "$bastionpipname" `
	-location "$rglocation" `
	-AllocationMethod Static `
	-Tag $rgtag

###Create Bastion###
New-AzBastion -ResourceGroupName "$rgname" `
	-Name "$bastionname" `
	-PublicIpAddressRgName "$rgname" `
	-PublicIpAddressName "$bastionpipname" `
	-VirtualNetworkRgName "$rgname" `
	-VirtualNetworkName "$rgvnetname" `
	-Tag $rgtag
####################################################################
###Create firewall public IP address###
###Create Public IP###
$FWpip = New-AzPublicIpAddress -Name "Firewall-Net-Dev04-vDI-IP" `
	-ResourceGroupName $rgname `
	-Location "$rglocation" `
	-AllocationMethod Static `
	-Tag $rgtag `
	-Sku Standard

###Create Firewall###
$Azfw = New-AzFirewall -Name "$firewallname" `
	-ResourceGroupName "$rgname" `
	-Location "$rglocation" `
	-VirtualNetwork $deployVnet `
	-Tag $rgtag `
	-PublicIpAddress $FWpip

###Save the firewall private IP address###
$AzfwPrivateIP = $Azfw.IpConfigurations.privateipaddress
$AzfwPrivateIP	
####################################################################
###Create default route###
###Create route table###
$routeTableDG = New-AzRouteTable `
  -Name $Routetablename `
  -ResourceGroupName $rgname `
  -location "$rglocation" `
  -DisableBgpRoutePropagation `
  -Tag $rgtag

###Create default route###
 Add-AzRouteConfig `
  -Name $routeconfigname `
  -RouteTable $routeTableDG `
  -AddressPrefix 0.0.0.0/0 `
  -NextHopType "VirtualAppliance" `
  -NextHopIpAddress $Azfw.IpConfigurations.privateipaddress `
 | Set-AzRouteTable

###Associate the route table to the subnet###
Set-AzVirtualNetworkSubnetConfig `
  -VirtualNetwork $deployVnet `
  -Name Internet `
  -AddressPrefix 10.0.1.0/24 `
  -RouteTable $routeTableDG | Set-AzVirtualNetwork

Set-AzVirtualNetworkSubnetConfig `
  -VirtualNetwork $deployVnet `
  -Name No_Internet `
  -AddressPrefix 10.0.2.0/24 `
  -RouteTable $routeTableDG | Set-AzVirtualNetwork  
####################################################################

 

0 Likes
Reply
_MBlack

‎Jan 08 2024 05:57 AM

‎Jan 08 2024 05:57 AM

Re: Cant connect after adding default route

So apparently the issue was related to the Virtual Network not being associated with the firewall policy as a security provider... go figure.

Anyone know how to script this?

0 Likes
Reply