ExpressRoute & Internet access

%3CLINGO-SUB%20id%3D%22lingo-sub-341135%22%20slang%3D%22en-US%22%3EExpressRoute%20%26amp%3B%20Internet%20access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-341135%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Etrying%20to%20set%20up%20a%20Server%20which%20has%20access%20to%20an%20internal%20network%2C%20but%20also%20can%20be%20accessed%20via%20the%20internet.%20These%20servers%20will%20eventually%20be%20front%20end%20web%20servers%20for%20an%20on-prem%20application.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20deployed%20a%20Vnet%2C%20with%20a%20single%20server%2C%20and%20have%20successfully%20configured%20the%20express%20route%2C%20so%20that%20the%20server%20can%20be%20accessed%20from%20my%20internal%20network.%20I%20can%20browse%2C%20via%20IP%2C%20to%20a%20webserver%20running%20on%20this%20server.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20is%20a%20single%20route%20table%2C%20with%20BGP%20enabled%2C%20there%20is%20no%20default%20route%20from%20BGP%20as%20this%20is%20filtered%20out%20at%20the%20datacentre.%20The%20subnet%20that%20the%20server%20is%20in%20is%20associated%20with%20this%20route%20table.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20then%20created%20an%20azure%20firewall%2C%20with%20a%20public%20IP.%20created%20a%20dnat%20rule%2C%20to%20nat%20the%20external%20ip%20of%20the%20FW%20to%20the%20server%20IP%2C%20and%20allow%20port%2080%2C%20and%20ensured%20that%20the%20access%20policy%20on%20the%20server%20nic%20allows%20access%20from%20all%20IPs%20on%20port%2080.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20cannot%20browse%20to%20this%20server%20via%20port%2080%20via%20the%20external%20IP.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20remove%20all%20of%20the%20express%20route%20configuration%20(virtual%20gateway%20and%20connection)%20then%20I%20can%20browse%20to%20the%20server%20via%20port%2080%20via%20the%20external%20IP.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20seems%20that%20the%20firewall%20works%20on%20its%20own%2C%20the%20express%20route%20works%20on%20its%20own%2C%20but%20when%20I%20use%20the%202%20together%2C%20there%20is%20a%20conflict%20which%20prevents%20the%20external%20connectivity%20working.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20am%20I%20missing%20please%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-341135%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Friday%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ENetworking%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-353571%22%20slang%3D%22en-US%22%3ERe%3A%20ExpressRoute%20%26amp%3B%20Internet%20access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-353571%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAzure%20Firewall%20needs%20to%20be%20able%20to%20egress%20directly%20to%20the%20internet.%20If%20Express%20Route%20is%20publishing%20a%20default%20route%20via%20on-prem%20to%20Azure%20Firewall%2C%20it%20will%20not%20work.%20Try%20to%20create%20UDR%20on%20the%20firewall%20subnet%20with%200%2F0%20via%20internet%20and%20retest.%20If%20this%20doesn't%20work%2C%20please%20open%20a%20support%20call%20as%20we%20will%20need%20more%20details%20to%20solve%20this.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3EYair%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-352361%22%20slang%3D%22en-US%22%3ERe%3A%20ExpressRoute%20%26amp%3B%20Internet%20access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-352361%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F284754%22%20target%3D%22_blank%22%3E%40GEOFFHILL%3C%2FA%3E%26nbsp%3BI%20am%20assuming%20that%20you%20have%20a%20web%20server%20running%20on%20a%20VM%20in%20Azure%20cloud.%20And%20the%20expectation%20is%20to%20route%20the%20traffic%20to%20web%20application%20running%20on%20onprem%20server.%20Basically%20reverse%20proxy%20or%20application%20request%20routing%20setup.%20When%20you%20setup%20express%20route%20and%20firewall%20try%20following%20steps%20to%20troubleshoot%20the%20issue%3A%3C%2FP%3E%3COL%3E%3CLI%3EFrom%20Azure%20VM%20are%20you%20able%20to%20access%20internal%20web%20application%3F%20if%20you%20have%20web%20browsers%20on%20Azure%20VM%20you%20can%20try%20accessing%20the%20site%20using%20web%20browser%20else%20you%20can%20run%20curl%20command%20and%20see%20if%20you%20are%20getting%20expected%20results.%26nbsp%3B%3CUL%3E%3CLI%3EIf%20you%20are%20not%20able%20to%20browse%20the%20site%20issue%20could%20be%20with%20express%20route%20not%20routing%20traffic%20correctly.%20Or%20traffic%20on%20the%20port%20(on%20which%20internal%20web%20application%20is%20running)%20is%20getting%20blocked.%3C%2FLI%3E%3CLI%3Eif%20you%20are%20using%20FQDN%20to%20access%20internal%20APP%20may%20be%20Azure%20VM%20is%20not%20able%20to%20resolve%20that.%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3CLI%3EOnce%20you%20verify%20that%20you%20are%20able%20to%20reach%20internal%20VM%20from%20Azure%20VM%2C%20try%20setting%20up%20web%20server%20on%20Azure%20without%20any%20routing%20rules.%20You%20can%20keep%20simple%20image%20or%20HTML%20page%20on%20web%20server%20and%20first%20try%20to%20access%20that%20from%20internet.%20If%20you%20are%20not%20able%20to%20access%20simple%20html%20or%20image%20it%20could%20be%20because%20firewall%20is%20blocking%20port%20or%20network%20security%20group%20attached%20to%20VM%20or%20VNET%20(on%20azure%20portal%20select%20Virtual%20machine%20-%26gt%3BNetwork%20-NSG)%20does%20not%20have%20inbound%20port%2080%20allowed.%3C%2FLI%3E%3C%2FOL%3E%3CP%3EI%20hope%20this%20helps.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

Hello all,

 

trying to set up a Server which has access to an internal network, but also can be accessed via the internet. These servers will eventually be front end web servers for an on-prem application.

 

I have deployed a Vnet, with a single server, and have successfully configured the express route, so that the server can be accessed from my internal network. I can browse, via IP, to a webserver running on this server. 

 

There is a single route table, with BGP enabled, there is no default route from BGP as this is filtered out at the datacentre. The subnet that the server is in is associated with this route table.

 

I have then created an azure firewall, with a public IP. created a dnat rule, to nat the external ip of the FW to the server IP, and allow port 80, and ensured that the access policy on the server nic allows access from all IPs on port 80. 

 

I cannot browse to this server via port 80 via the external IP. 

 

If I remove all of the express route configuration (virtual gateway and connection) then I can browse to the server via port 80 via the external IP. 

 

It seems that the firewall works on its own, the express route works on its own, but when I use the 2 together, there is a conflict which prevents the external connectivity working. 

 

What am I missing please

2 Replies

@GEOFFHILL I am assuming that you have a web server running on a VM in Azure cloud. And the expectation is to route the traffic to web application running on onprem server. Basically reverse proxy or application request routing setup. When you setup express route and firewall try following steps to troubleshoot the issue:

  1. From Azure VM are you able to access internal web application? if you have web browsers on Azure VM you can try accessing the site using web browser else you can run curl command and see if you are getting expected results. 
    • If you are not able to browse the site issue could be with express route not routing traffic correctly. Or traffic on the port (on which internal web application is running) is getting blocked.
    • if you are using FQDN to access internal APP may be Azure VM is not able to resolve that.
  2. Once you verify that you are able to reach internal VM from Azure VM, try setting up web server on Azure without any routing rules. You can keep simple image or HTML page on web server and first try to access that from internet. If you are not able to access simple html or image it could be because firewall is blocking port or network security group attached to VM or VNET (on azure portal select Virtual machine ->Network -NSG) does not have inbound port 80 allowed.

I hope this helps.

Hi,

 

Azure Firewall needs to be able to egress directly to the internet. If Express Route is publishing a default route via on-prem to Azure Firewall, it will not work. Try to create UDR on the firewall subnet with 0/0 via internet and retest. If this doesn't work, please open a support call as we will need more details to solve this.

 

Thanks,

Yair