I have a typical Hub/Spoke Architecture with Azure Firewall in the Hub, VNEt peerings between Hub/Spoke, route table on Spoke with default route to Firewall in Hub, no NSGs currently applied. I have created DNAT rule for web site running on Windows Server VM (IIS) in Spoke. All as per documented setup e.g. https://learn.microsoft.com/en-us/azure/firewall/tutorial-firewall-dnat.
But I cannot connect to the Web site! I have even tried a DNAT rule for RDP exactly as per the article but also not connecting.
I can see in the firewall logs the DNAT rule being hit but nothing is getting to the Web Server as verified using packet capture.
I have spun up VM in the Hub with a default route to the Firewall and Network rules to allow RDP and HTTPs to the Spoke Vnet. From this machine I can browse to the website and RDP to the Web Server with no issues with and have verified traffic is traversing the firewall OK.
What am I missing to get access via firewall DNAT working?
Any help/advise, what to try next, how to debug appreciated.
Cheers
Rich
