Forum Discussion

_MBlack's avatar
_MBlack
Copper Contributor
Jan 03, 2024

Cant connect after adding default route

Having trouble with something I thought would be simple... Need to block web traffic on specific Azure VM's to all but a select few sites. We have (2) groups of Azure VM's... With_Internet, basic...
Kidd_Ip's avatar
Kidd_Ip
MVP
Jan 04, 2024

Howe about NSG, any logs and hints from there?

  • _MBlack's avatar
    _MBlack
    Copper Contributor
    Jan 04, 2024

    Thanks for the response, so I enabled the NSG Flow Logs and ran some tests, which included connectivity tests from Network watcher... and while Network watcher says connections from port 22 fail and port 3389 are good.. (from bastion to vm)... bastion is still unable to connect... 

     

    And I must be outta touch, as these logs in Json are DUMB... unable to decipher the majority of the values... 

     

    rule : DefaultRule_AllowVnetInBound
    flows [1]
    0 {2}
    mac : 6045BDC8146E
    flowTuples [194]
    0 : 1704392753,10.0.3.4,10.0.1.4,42852,9,T,I,A,B,,,,
    1 : 1704392753,10.0.3.4,10.0.1.4,50004,22,T,I,A,B,,,,
    2 : 1704392753,10.0.3.4,10.0.1.4,50001,22,T,I,A,B,,,,
     
     
    rule : DefaultRule_AllowVnetInBound
    flows [1]
    0 {2}
    mac : 6045BDC8146E
    flowTuples [94]
    0 : 1704392833,10.0.3.4,10.0.1.4,3389,3389,T,I,A,B,,,,
    1 : 1704392834,10.0.3.4,10.0.1.4,3389,3389,T,I,A,E,3,206,0,0
    2 : 1704392834,10.0.3.4,10.0.1.4,3389,3389,T,I,A,B,,,,
    • _MBlack's avatar
      _MBlack
      Copper Contributor
      Jan 05, 2024

      Here are the commands I am using to create the objects, all complete successfully... and again, adding the default route... lose connection, delete the route and connection restored.

      I am sure, it's just me missing something.


       
      ####################################################################
###	Define Variables###
####################################################################

$rgname =  "rg-Dev04-vDI"
$rglocation = "West US 3"
$rgtag = @{Dev="AzureVM-Dev"}
$rgvnetname = "vNet-Dev04-vDI"

$bastionpipname = "Bastion-vNet-Dev04-vDI-IP"
$bastionname = "Bastion-vNet-Dev04-vDI"

$firewallpipname = "$firewallpipname"
$firewallname = "Firewall-Dev04-vDI"

$firewallpolicyname = "Firewall-Dev04-vDI-Policy"
$Routetablename = "Firewall-rt-table-Dev04-vDI"

$routeconfigname = "DG-Route-Dev04-vDI"
$nsgname = "NSG-Dev04-vDI"

####################################################################
###Create resource group###
New-AzResourceGroup -Name $rgname -Location "$rglocation" -Tag $rgtag
####################################################################
###Create virtual network###
$ServerSubnet1 = New-AzVirtualNetworkSubnetConfig -Name Internet -AddressPrefix 10.0.1.0/24
$ServerSubnet2 = New-AzVirtualNetworkSubnetConfig -Name No_Internet -AddressPrefix 10.0.2.0/24
$ServerSubnet3 = New-AzVirtualNetworkSubnetConfig -Name AzureBastionSubnet -AddressPrefix "10.0.3.0/26"
$ServerSubnet4 = New-AzVirtualNetworkSubnetConfig -Name AzureFirewallSubnet -AddressPrefix "10.0.4.0/26"
$deployVnet = New-AzVirtualNetwork -Name $rgvnetname -ResourceGroupName $rgname -Location "$rglocation" -AddressPrefix 10.0.0.0/16 -Subnet $ServerSubnet1,$ServerSubnet2,$ServerSubnet3,$ServerSubnet4 -Tag $rgtag
####################################################################
###Create bastion and Public IP address###
###Create Public IP###
$Bastionip = New-AzPublicIpAddress -ResourceGroupName "$rgname" `
	-name "$bastionpipname" `
	-location "$rglocation" `
	-AllocationMethod Static `
	-Tag $rgtag

###Create Bastion###
New-AzBastion -ResourceGroupName "$rgname" `
	-Name "$bastionname" `
	-PublicIpAddressRgName "$rgname" `
	-PublicIpAddressName "$bastionpipname" `
	-VirtualNetworkRgName "$rgname" `
	-VirtualNetworkName "$rgvnetname" `
	-Tag $rgtag
####################################################################
###Create firewall public IP address###
###Create Public IP###
$FWpip = New-AzPublicIpAddress -Name "Firewall-Net-Dev04-vDI-IP" `
	-ResourceGroupName $rgname `
	-Location "$rglocation" `
	-AllocationMethod Static `
	-Tag $rgtag `
	-Sku Standard

###Create Firewall###
$Azfw = New-AzFirewall -Name "$firewallname" `
	-ResourceGroupName "$rgname" `
	-Location "$rglocation" `
	-VirtualNetwork $deployVnet `
	-Tag $rgtag `
	-PublicIpAddress $FWpip

###Save the firewall private IP address###
$AzfwPrivateIP = $Azfw.IpConfigurations.privateipaddress
$AzfwPrivateIP	
####################################################################
###Create default route###
###Create route table###
$routeTableDG = New-AzRouteTable `
  -Name $Routetablename `
  -ResourceGroupName $rgname `
  -location "$rglocation" `
  -DisableBgpRoutePropagation `
  -Tag $rgtag

###Create default route###
 Add-AzRouteConfig `
  -Name $routeconfigname `
  -RouteTable $routeTableDG `
  -AddressPrefix 0.0.0.0/0 `
  -NextHopType "VirtualAppliance" `
  -NextHopIpAddress $Azfw.IpConfigurations.privateipaddress `
 | Set-AzRouteTable

###Associate the route table to the subnet###
Set-AzVirtualNetworkSubnetConfig `
  -VirtualNetwork $deployVnet `
  -Name Internet `
  -AddressPrefix 10.0.1.0/24 `
  -RouteTable $routeTableDG | Set-AzVirtualNetwork

Set-AzVirtualNetworkSubnetConfig `
  -VirtualNetwork $deployVnet `
  -Name No_Internet `
  -AddressPrefix 10.0.2.0/24 `
  -RouteTable $routeTableDG | Set-AzVirtualNetwork  
####################################################################

       

      • _MBlack's avatar
        _MBlack
        Copper Contributor
        Jan 08, 2024

        So apparently the issue was related to the Virtual Network not being associated with the firewall policy as a security provider... go figure.

        Anyone know how to script this?

Resources