Forum Discussion
Azure VM Persistent Route Setup
Hi
I hope to get some advice on a routing issue from Azure to an on-premises system.
A little background first, please bear with me:
We have an on-premises VM that connects to an isolated Thirdparty network via an On-Prem Cisco ASA FW specifically for this purpose.
-------------------------------------------------------------------------------
OnPrem VM's IP: 10.100.10.23/24
OnPrem dedicated FW - Local Inside Interface IP: 10.100.10.190
--------------------------------------------------------------------------------
OnPrem dedicated FW - 3rdParty Interface IP: 10.110.255.137
Thirdparty router IP: 10.110.255.138 - This routes to aditional devices on 10.10.227.10 and 20.10.227.10.
--------------------------------------------------------------------------------
There are static routes configured for 3rd party FW interface using:
3rdParty Interface - 10.10.227.10 255.255.255.255 - 10.110.255.138 (Gateway IP)
3rdParty Interface - 20.10.227.10 255.255.255.255 - 10.110.255.138 (Gateway IP)
--------------------------------------------------------------------------------
The on-premises VM (10.100.10.23) has persistent routes added to allow connectivity:
Network Address Netmask Gateway Address Metric
10.10.227.10 255.255.255.255 10.100.10.190 1
20.10.227.10 255.255.255.255 10.100.10.190 1
10.110.255.136 255.255.255.252 10.100.10.190 1
---------------------------------------------------------------------------------
The above works fine on-prem but I now need to migrate the On-Prem VM service into Azure.
Azure Side
I have created a test Azure VM with a static IP in an isolated subnet (no other devices using it) in the Production subscription of our LZ (Hub and Spoke topology).
We have a site-to-site VPN connected to our on-premises FW using a VPN Gateway configured in the Connectivity subscription of our LZ (as expected).
We have defined subnets for on-premises address spaces in the Local Network Gateway:
10.100.10.0/24, 10.100.11.0/24, 10.100.13.0/24, 10.100.14.0/24 (Local Subnets) and 172.16.50.0 (VPN client Subnet)
---------------------------------------------------------------------------------------
Main Problem that I'm requesting advice for:
When I add the defined persistent routes on the Azure VM (IP address: 10.150.1.10/24) as is on the On-Prem VM
Network Address Netmask Gateway Address Metric
10.10.227.10 255.255.255.255 10.100.10.190 1
20.10.227.10 255.255.255.255 10.100.10.190 1
10.110.255.136 255.255.255.252 10.100.10.190 1
I'm unable to ping the 10.10.227.10 and 20.10.227.10 addresses, even though the routes have been added by the 3rd party on their network side.
All Network Objects, static routes, groups and rules are duplicated on the ASA FW for the Azure VM as is for the On-Prem VM and I can access/ping the ASA FW inside interface no problem .
Is there a specific way I need to route the persistent routes from Azure side, have I missed something in the configuration above to get the connectivity I require?
Please all advice is welcomed!
Thank you
Nitrox
2 Replies
Persistent routes cannot be configured in Azure VMs in the same way as on-premises. In Azure, routing is managed at the network level through User Defined Routes (UDRs) and VPN Gateway configuration, rather than by static routes inside the virtual machine. The gateway address you specified (10.100.10.190) is not directly accessible from the Azure VM, which is why the persistent routes fail. To achieve the required connectivity, you must configure Azure route tables (UDRs) and ensure that the VPN Gateway advertises the appropriate on-premises subnets.
https://learn.microsoft.com/en-us/azure/vpn-gateway/
Hi
Thanks for your reply.
I have the S2S VPN in place and working fine and all local routes have been advertised across the VPN, for example 10.110.10.190 (10.110.10.0/24 advertised).
All local subnets are also added via the Local Network Gateway in Azure and 10.110.10.190 can ping fine from the VM.
I have added some UDR's for the additional networks but currently I'm using 10.110.10.190 as the next hop after the Virtual Appliance (Azure FW) but it is not working. I have also tried using the gateway from the VM subnet lets say Azure VM is 10.123.100.10 so I'm using 10.123.100.1 as the next hop, neither are working.
Can someone advise further as a little perplexed as I simply need to route via an onpremises IP 10.110.10.190 to 10.10.227.0/20.10.227.0/10.110.255.0 from Azure VM?
Thanks again
Nitrox
