02-14-2019 11:45 PM
02-14-2019 11:45 PM
trying to set up a Server which has access to an internal network, but also can be accessed via the internet. These servers will eventually be front end web servers for an on-prem application.
I have deployed a Vnet, with a single server, and have successfully configured the express route, so that the server can be accessed from my internal network. I can browse, via IP, to a webserver running on this server.
There is a single route table, with BGP enabled, there is no default route from BGP as this is filtered out at the datacentre. The subnet that the server is in is associated with this route table.
I have then created an azure firewall, with a public IP. created a dnat rule, to nat the external ip of the FW to the server IP, and allow port 80, and ensured that the access policy on the server nic allows access from all IPs on port 80.
I cannot browse to this server via port 80 via the external IP.
If I remove all of the express route configuration (virtual gateway and connection) then I can browse to the server via port 80 via the external IP.
It seems that the firewall works on its own, the express route works on its own, but when I use the 2 together, there is a conflict which prevents the external connectivity working.
What am I missing please
02-17-2019 11:05 PM
@GEOFFHILL I am assuming that you have a web server running on a VM in Azure cloud. And the expectation is to route the traffic to web application running on onprem server. Basically reverse proxy or application request routing setup. When you setup express route and firewall try following steps to troubleshoot the issue:
I hope this helps.
02-19-2019 12:43 PM
Azure Firewall needs to be able to egress directly to the internet. If Express Route is publishing a default route via on-prem to Azure Firewall, it will not work. Try to create UDR on the firewall subnet with 0/0 via internet and retest. If this doesn't work, please open a support call as we will need more details to solve this.