Forum Discussion

_MBlack's avatar
_MBlack
Copper Contributor
Jan 03, 2024

Cant connect after adding default route

Having trouble with something I thought would be simple... Need to block web traffic on specific Azure VM's to all but a select few sites.


We have (2) groups of Azure VM's...
With_Internet, basically unfiltered outbound traffic
NO_Internet, blocking all web traffic (HTTP/HTTPS) to all but a select few sites... and my understanding on how to accomplish this is using the Azure firewall and application rules based on FQDN.

We have created (4) Vnet's...
10.0.0.0/27 Default With_Internet (contains Azure VM)
10.0.0.32/27 Default NO_Internet (contains Azure VM)
10.0.1.0/26 Azure Bastion AzureBastionSubnet
10.0.2.0/26 Azure Firewall AzureFirewallSubnet

 

We have a single NSG with default rules associated with both Azure VM /27 subnets

 

We have a single Azure firewall in the same region with a public IP and private IP contained within the AzureFirewallSubnet

 

We have a single Azure firewall Policy in the same region with multiple rule collections.

 

At this point connectivity works, via web interface and Bastion access to VM's in both /27 subnets, 

 

When I create a default route and associate that route with a VM subnet I lose all connectivity to the VM's on that subnet.


The default route has propagate route enabled and is configured as...
Destination IP addresses: 0.0.0.0/0
Next hop type: VirtualAppliance
Next hop address: 10.0.2.4 (Azure firewall private IP)

 

Our connectivity is strictly from login via https://windows365.microsoft.com/ent#/devices, and use the web interface to connect to the VM or Bastion.


When we associate the default route, we lose both web and Bastion connectivity...

Any pointers/guidance/suggestions...

4 Replies

    • _MBlack's avatar
      _MBlack
      Copper Contributor
      Jan 04, 2024

      Thanks for the response, so I enabled the NSG Flow Logs and ran some tests, which included connectivity tests from Network watcher... and while Network watcher says connections from port 22 fail and port 3389 are good.. (from bastion to vm)... bastion is still unable to connect... 

       

      And I must be outta touch, as these logs in Json are DUMB... unable to decipher the majority of the values... 

       

      rule : DefaultRule_AllowVnetInBound
      flows [1]
      0 {2}
      mac : 6045BDC8146E
      flowTuples [194]
      0 : 1704392753,10.0.3.4,10.0.1.4,42852,9,T,I,A,B,,,,
      1 : 1704392753,10.0.3.4,10.0.1.4,50004,22,T,I,A,B,,,,
      2 : 1704392753,10.0.3.4,10.0.1.4,50001,22,T,I,A,B,,,,
       
       
      rule : DefaultRule_AllowVnetInBound
      flows [1]
      0 {2}
      mac : 6045BDC8146E
      flowTuples [94]
      0 : 1704392833,10.0.3.4,10.0.1.4,3389,3389,T,I,A,B,,,,
      1 : 1704392834,10.0.3.4,10.0.1.4,3389,3389,T,I,A,E,3,206,0,0
      2 : 1704392834,10.0.3.4,10.0.1.4,3389,3389,T,I,A,B,,,,
      • _MBlack's avatar
        _MBlack
        Copper Contributor
        Jan 05, 2024

        Here are the commands I am using to create the objects, all complete successfully... and again, adding the default route... lose connection, delete the route and connection restored.

        I am sure, it's just me missing something.


         
        ####################################################################
###	Define Variables###
####################################################################

$rgname =  "rg-Dev04-vDI"
$rglocation = "West US 3"
$rgtag = @{Dev="AzureVM-Dev"}
$rgvnetname = "vNet-Dev04-vDI"

$bastionpipname = "Bastion-vNet-Dev04-vDI-IP"
$bastionname = "Bastion-vNet-Dev04-vDI"

$firewallpipname = "$firewallpipname"
$firewallname = "Firewall-Dev04-vDI"

$firewallpolicyname = "Firewall-Dev04-vDI-Policy"
$Routetablename = "Firewall-rt-table-Dev04-vDI"

$routeconfigname = "DG-Route-Dev04-vDI"
$nsgname = "NSG-Dev04-vDI"

####################################################################
###Create resource group###
New-AzResourceGroup -Name $rgname -Location "$rglocation" -Tag $rgtag
####################################################################
###Create virtual network###
$ServerSubnet1 = New-AzVirtualNetworkSubnetConfig -Name Internet -AddressPrefix 10.0.1.0/24
$ServerSubnet2 = New-AzVirtualNetworkSubnetConfig -Name No_Internet -AddressPrefix 10.0.2.0/24
$ServerSubnet3 = New-AzVirtualNetworkSubnetConfig -Name AzureBastionSubnet -AddressPrefix "10.0.3.0/26"
$ServerSubnet4 = New-AzVirtualNetworkSubnetConfig -Name AzureFirewallSubnet -AddressPrefix "10.0.4.0/26"
$deployVnet = New-AzVirtualNetwork -Name $rgvnetname -ResourceGroupName $rgname -Location "$rglocation" -AddressPrefix 10.0.0.0/16 -Subnet $ServerSubnet1,$ServerSubnet2,$ServerSubnet3,$ServerSubnet4 -Tag $rgtag
####################################################################
###Create bastion and Public IP address###
###Create Public IP###
$Bastionip = New-AzPublicIpAddress -ResourceGroupName "$rgname" `
	-name "$bastionpipname" `
	-location "$rglocation" `
	-AllocationMethod Static `
	-Tag $rgtag

###Create Bastion###
New-AzBastion -ResourceGroupName "$rgname" `
	-Name "$bastionname" `
	-PublicIpAddressRgName "$rgname" `
	-PublicIpAddressName "$bastionpipname" `
	-VirtualNetworkRgName "$rgname" `
	-VirtualNetworkName "$rgvnetname" `
	-Tag $rgtag
####################################################################
###Create firewall public IP address###
###Create Public IP###
$FWpip = New-AzPublicIpAddress -Name "Firewall-Net-Dev04-vDI-IP" `
	-ResourceGroupName $rgname `
	-Location "$rglocation" `
	-AllocationMethod Static `
	-Tag $rgtag `
	-Sku Standard

###Create Firewall###
$Azfw = New-AzFirewall -Name "$firewallname" `
	-ResourceGroupName "$rgname" `
	-Location "$rglocation" `
	-VirtualNetwork $deployVnet `
	-Tag $rgtag `
	-PublicIpAddress $FWpip

###Save the firewall private IP address###
$AzfwPrivateIP = $Azfw.IpConfigurations.privateipaddress
$AzfwPrivateIP	
####################################################################
###Create default route###
###Create route table###
$routeTableDG = New-AzRouteTable `
  -Name $Routetablename `
  -ResourceGroupName $rgname `
  -location "$rglocation" `
  -DisableBgpRoutePropagation `
  -Tag $rgtag

###Create default route###
 Add-AzRouteConfig `
  -Name $routeconfigname `
  -RouteTable $routeTableDG `
  -AddressPrefix 0.0.0.0/0 `
  -NextHopType "VirtualAppliance" `
  -NextHopIpAddress $Azfw.IpConfigurations.privateipaddress `
 | Set-AzRouteTable

###Associate the route table to the subnet###
Set-AzVirtualNetworkSubnetConfig `
  -VirtualNetwork $deployVnet `
  -Name Internet `
  -AddressPrefix 10.0.1.0/24 `
  -RouteTable $routeTableDG | Set-AzVirtualNetwork

Set-AzVirtualNetworkSubnetConfig `
  -VirtualNetwork $deployVnet `
  -Name No_Internet `
  -AddressPrefix 10.0.2.0/24 `
  -RouteTable $routeTableDG | Set-AzVirtualNetwork  
####################################################################

         

Resources