Azure Firewall DNAT not working

Question

I have a typical Hub/Spoke Architecture with Azure Firewall in the Hub, VNEt peerings between Hub/Spoke, route table on Spoke with default route to Firewall in Hub, no NSGs currently applied. I have created DNAT rule for web site running on Windows Server VM (IIS) in Spoke. All as per documented setup e.g. https://learn.microsoft.com/en-us/azure/firewall/tutorial-firewall-dnat#create-a-default-route

But I cannot connect to the Web site! I have even tried a DNAT rule for RDP exactly as per the article but also not connecting.

I can see in the firewall logs the DNAT rule being hit but nothing is getting to the Web Server as verified using packet capture.

I have spun up VM in the Hub with a default route to the Firewall and Network rules to allow RDP and HTTPs to the Spoke Vnet. From this machine I can browse to the website and RDP to the Web Server with no issues with and have verified traffic is traversing the firewall OK.

What am I missing to get access via firewall DNAT working?

Any help/advise, what to try next, how to debug appreciated.

Cheers

Rich

richard_marder · Answer

stefanslauritsen&nbsp;Hi, Yes it was resolved in our case.&nbsp; Our issue was with the routing tables applied to the spoke vNET.&nbsp; We had the Default Route and a UDR which was set to the vNET in the Hub.&nbsp; This vNET included the subnet on which the firewall was setup plus other subnets in use for Management Services (Remote Access, Backups,&nbsp; Monitoring etc.)&nbsp; &nbsp;This was causing circular routing and we had to remove this and configure the RT with UDRs for each subnet for the individual services and excluding the subnet on which the firewall was setup.&nbsp; Hope it helps.&nbsp; Good luck

kidd_ip · Answer

Richard_Marder&nbsp;Please refer this:&nbsp;https://learn.microsoft.com/en-us/azure/firewall/tutorial-firewall-dnat&nbsp;

richard_marder · Answer

Thanks Kidd_Ip&nbsp;thats the same article i followed 😞

stefanslauritsen · Answer

Richard_Marder&nbsp;was this issue ever solved? I am facing same issue.&nbsp;

stefanslauritsen · Answer

Thank you Richard_Marder&nbsp;!Tested this morning with both SFTP-22 (original issue) &amp; RDP-3389 (Test scenario), removing the route table pointing to Az Firewall Virtual Appliance for Firewall subnet fixed the issue instantly.Now I just need to figure out new routing design and which consequences it will have 🙂Fun fact - For original issue, we were seeing only some connections failing. Incoming traffic from Azure VM's (3rd-party tenants) was working, testing connection from home (Consumer ISP)/3rd-party datacenter failed.

Forum Discussion

Azure Firewall DNAT not working

5 Replies

Resources