Help! - How is VNet traffic reaching vWAN/on‑prem when the VNet isn’t connected to the vWAN hub
Hello, I needed some clarity on how the following is working: Attached is a network diagram of our current setup. The function apps (in VNet-1) initiate a connection(s) to a specific IP:Port or FQDN:Port in the on-premises network(s). A Private DNS zone ensures that any FQDN is resolved to the correct internal IP address of the on-prem endpoint. In our setup, both the function app and the external firewall reside in the same VNet. This firewall is described as “Unattached” because it is not the built-in firewall of a secured vWAN hub, but rather an independent Azure Firewall deployed in that VNet. The VNet has a user-defined default route (0.0.0.0/0) directing all outbound traffic to the firewall’s IP. The firewall then filters the traffic, allowing only traffic destined to whitelisted on-premises IP: Port or FQDN: Port combinations (using IP Groups), and blocking everything else. The critical question and the part that I am unable to figure out is: Once the firewall permits a packet, how does Azure know to route it to the vWAN hub and on to the site-to-site VPN? Because VNet-1 truly has no connection at all to the vWAN hub (no direct attachment, no peering, no VPN from the NVA). But the traffic is still reaching the on-prem sites. Unable to figure out how this is happening. Am I missing something obvious? Any help on this would be appreciated. Thank you!
Traffic processing BGP Azure VPN gateway A/A
Hello, Can someone explain how Azure processes the traffic with implemented a VPN gateway in Active Active mode?. Azure firewall premium is also configured. BGP is without preferences. The user route definition is set up to the next hop Azure firewall . Is it possible in this scenario occurs the asymmetric routing with traffic drop by azure firewall ? In my understand is that, if we need to configure User route definition on Gateway subnet to inspect traffic to peering subnet, so the firewall don't see traffic passing through VPN gateway. Traffic going through ipsec tunnels can go different paths and firewall do not interfere because everything is routed to it by user route definition.
Networking out Private VNET in AZURE with a third party app such as payment gateway?
I need to do networking so that my VNET in Azure connects to third party applications such as payment gateways or messaging apps which are in Public internet. Please let me know the options and why we should prefer one over the other?
Spoke-Hub-Hub Traffic with VPN Gateway BGP and Firewall Issue
Hello, I’m facing a situation where I’m trying to have Azure Firewall Inspection on the VPN Gateway VNET-VNET Connectivity. It seems to work if I go from SpokeA-HubAFirewall-HubAVPN—HubBVPN-SpokeB but if I try to go from SpokeA-HubAFirewall-HubAVPN-HubBVM or Inbound Resolver it fails to route correctly according to Connectivity Troubleshooter it stops at HubAVPN with Local Error: RouteMissing but then reaches destination health so makes me believe it’s getting there but not following the route I want it to take which might be causing routing issues. What Am I missing here? This connectivity was working before introducing the Azure Firewall for Inspection with the UDR. Is what I’m trying to accomplish not possible? I’ve tried different types of UDR rules on the Gateway Subnet, and this is my most recent configuration. The reason I’m trying to accomplish this is because I’m seeing a similar error in our Hub-Spoke Hybrid environment and I’m trying to replicate the issue. Current Configuration 2x Hubs with Spoke networks attached so example Hub-Spoke-A Configuration: Hub-A Contains following subnets and Resources VPN Gateway - GateWaySubnet Azure Firewall - AzureFirewallSubnet Inbound Private Resolver - PrivateResolverSubnet Virtual Machine – VM Subnet Gateway Subnet has an attached UDR with the following routes Propagation - True Prefix Destination – Hub-B Next Hop Type – Virtual Appliance Next Hope IP – Hub-A Firewall Prefix Destination – Spoke-B Next Hop Type – Virtual Appliance Next Hope IP – Hub-A Firewall Hub-Spoke-B Configuration: Hub-B Contains following subnets and Resources VPN Gateway - GateWaySubnet Azure Firewall - AzureFirewallSubnet Inbound Private Resolver - PrivateResolverSubnet Virtual Machine – VM Subnet Gateway Subnet has an attached UDR with the following Routes Propagation - True Prefix Destination – Hub-A Next Hop Type – Virtual Appliance Next Hope IP – Hub-B Firewall Prefix Destination – Spoke-A Next Hop Type – Virtual Appliance Next Hope IP – Hub-B Firewall Spoke Subnets has an attached UDR with the following Routes Propagation - True Prefix Destination – 0.0.0.0/0 Next Hop Type – Virtual Appliance Next Hope IP – HubA/HubB Firewall (Depending on what hub its peered to) VPN Gateways HA VNET-VNET with BGP Enabled. I can see that it knows the routes and like I said this was working prior introducing the UDRs for force traffic through the azure firewall.
Can only remote into azure vm from DC
Hi all, I have set up a site to site connection from on prem to azure and I can remote in via the main dc on prem but not any other server or ping from any other server to the azure. Why can I only remote into the azure VM from the server that has Routing and remote access? Any ideas on how I can fix this?
Route-metrics in Azure P2S VPN
We have the following setup in our environment: Azure VPN Gateway S2S-VPN between gateway and our on-premise datacentre. P2S-VPN between gateway and clients. This P2S VPN is configured with AAD-authentication and the VPN profile is assigned to a client via Intune and XML-configuration. I have attached a stripped down version of our .xml with information that is not sensitive. (azurevpn.xml). It's in the zipped file. This setup is working overall fine, we add some routes to direct the traffic to the right place. We also have a management-VPN deployed that some of our employees use to get access to our network equipment and other administrative devices. This is a Cisco Anyconnect VPN. When connected to both this VPN-profile and the AzureVPN it let's them traverse both the management-net and the "customer"-net and let's them query DNS in both nets. The Anyconnect-VPN just as the AzureVPN has routes assigned to it, which when connected, one of the routes gets assigned a metric of 35. When then the P2S-VPN is connected it assigns the metric 311 on the same route. 311 seems to be the "default" metric on the routes specified in our .xml. This causes the issues in our case and we need to assign a metric lower then 35 to the P2S-route. Is there any way to assign a metric to a route that we push with the .xml? According to the Microsoft Docs here https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-profile-intune which links to this Docs https://docs.microsoft.com/en-us/windows/client-management/mdm/vpnv2-csp says you are able to do this. However if we try to add for example "<metric>25</metric> to the xml this gets ignored on the client. I have attached a section of the AzureVpnCxn.log which is stripped of sensitive information where this can be seen. Please advicePlease clarify for required certificates for P2S connection in Azure
Hi, For Point-to-Site connection in Azure, certificates of Windows are exported. Depending on Windows system, I have seen different situation in certmgr.msc as below 1st Windows system 2nd Windows system 3rd Windows system Please let me know Which certificates we need to export at certmgr.msc? If we need to export Personal certificate, what I need to do, if no certificates are showing or another certificates (like Adobe) are showing at Personal? Please clarify with additional required information. We’ll be thankful for your assistance. With Regards NndnG
BGP Routing from and to VPN Gateway
Hello All, I am setting up a lab concerning vWAN connection to onprem via SDWAN and I have some issues getting the routing to work properly. I have a hub which symbolizes the on-premises hub with a VPN gateway (gw-onprem) and a VM (on-prem-hubvm) deployed. Attached to the onprem-hub is a) on-prem spoke with a VM (on-prem VM). b) two vnets that symbolize the sdwan. Both of which have a VPN gateway as well as one VM each deployed (gw-sd-1/2) The SDWan Gateways are connected via s2s to two different vWAN hubs in two different locations. The vWAN has a third Hub which is not directly connected to on-prem What I am trying to lab is what direction the traffic is tacking from the vWAN Hubs to the last on-premise VM. The traffic currently goes all the way through the s2s vpn connection, but it gets dropped afterwards. I am struggling to set-up the routing from the sd-gw's to the on-premises machine. The routing needs to work through BGP The goal of the Lab is to see which path to on-premises is preferred if the hub preference is AS Path (shortest BGP Path). BGP is enabled on all VPN Gateways The SD GWs are peered to the onprem Hub GW but no vnet peering. The on-premises Vnets are peered. Somehow the VPN Gateways are not learning the routes to on-premises. I tried pointing the way with UDRs but somehow it also isnt working I've tried setting up UDRs so that the traffic would be the following vWAN Hub -> sd GW > sd VM > GW-onprem (> on-prem-hubvm) > on-prem VM
