Forum Discussion

Deepak_kumar's avatar
Deepak_kumar
Copper Contributor
May 19, 2019

Route Internet traffic through Ipsec tunnel.

Hi Everyone. I need an architecture model for Routing internet traffic from  vnet A to Firewall which is in vnet B. Both vnets are in different region and connected by IPsec tunnel. I have tried us...
azure
networking
virtual network
Deepak_kumar's avatar
Deepak_kumar
Copper Contributor
May 21, 2019

Thxx@Hannes_LG ,

but in my scenario we have already an existing infra and having multiple basic internal load balancer.

If we go with global vnet peering, then we will have to update all basic internal load balancer to standard one because in global vnet peering we can't access frontend ip of internal load balancer of basic sku in peered region.

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq#what-are-the-constraints-related-to-global-vnet-peering-and-load-balancers

That's way I’m searching for another way.

 

Hannes_LG's avatar
Hannes_LG
Brass Contributor
May 21, 2019
Hi,

okay that's bad. Is it possible to share your Route Table?
To bin a UDR with 0.0.0.0/0 to an Azure Gateway subnet isn't supported.

Original Articel (https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview)

If your virtual network is connected to an Azure VPN gateway, do not associate a route table to the gateway subnet that includes a route with a destination of 0.0.0.0/0. Doing so can prevent the gateway from functioning properly. For details, see the Why are certain ports opened on my VPN gateway? question in the VPN Gateway FAQ.

I guess you have to define each subnet at the UDR.

Regards,
Hannes
  • Deepak_kumar's avatar
    Deepak_kumar
    Copper Contributor
    May 24, 2019

    Hannes_LG 

     

    Hi,

     I can't share much of info, but for your understanding I have already mentioned all the information in my question. For internal communication (private traffic), traffic will go through IPsec tunnel. DMZ subnet is in vnet B, so we use UDR to route  all internet traffic from vnet B to firewall ip in DMZ subnet but for vnet A internet traffic i need your help.

    • Hannes_LG's avatar
      Hannes_LG
      Brass Contributor
      Jun 03, 2019
      Hi,

      sry for the late reply.
      To bind a 0.0.0.0/0 route to a gateway subnet isn’t supported so please remove that one.
      Change UDR1:
      0.0.0.0/0 next hop virtual appliance IP
      Bind to each subnet in vnet a (important not to the gateway subnet!)

      Change UDR2:
      0.0.0.0/0 next hob virtual appliance IP
      Bind to each subnet in vent b (important not to the gateway subnet!)

      On Gateway in vnet a activate „use remote gateway“
      On Gateway in vnet b activate „ gateway transit“

      I guess that solution should fix your issue but I don’t have time (at the Moment) to test it.

      Regards,
      Hannes

Resources