Inbound connection stopped (website not accessible outside) after Firewall attachment to Subnet

Sunil Yadav 25 Reputation points
2023-06-29T10:30:11.79+00:00

I have three servers Server1, Server2, and Sever3. Server1 and Server2 are behind the load Balancer. our site are hosted on Server1,Server2 and Server3.

DNS is pointing to LB public ip for site hosted on Server1 and Server2. For other site, DNS is directly pointing to Server3.

After the association of Azure Firewall to Subnet all the sites stopped being accessible externally/outside.

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
600 questions
Azure Load Balancer
Azure Load Balancer
An Azure service that delivers high availability and network performance to applications.
421 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. ChaitanyaNaykodi-MSFT 24,231 Reputation points Microsoft Employee
    2023-06-29T23:09:08.63+00:00

    @Sunil Yadav

    Thank you for reaching outIf I understand correctly, you have three servers deployed in virtual network behind a public load balancer. Now after associating Azure Firewall to the virtual network all the sites hosted on Server1, Server2, and Server3 stopped being accessible externally/outside.

    Based on my understanding above, the likely cause in this case might be due to asymmetric routing issue that can break functionality with the public load balancer scenario as documented here.

    Asymmetric routing is where a packet takes one path to the destination and takes another path when returning to the source. This issue occurs when a subnet has a default route going to the firewall's private IP address and you're using a public load balancer. In this case, the incoming load balancer traffic is received via its public IP address, but the return path goes through the firewall's private IP address. Since the firewall is stateful, it drops the returning packet because the firewall isn't aware of such an established session.

    If this issue was not already considered, you can follow the steps here to fix this issue. You will have to create

    • A host route for the firewall's public IP address.
    • A NAT rule for Firewall's Public IP and Load Balancer's Public IP.

    If you have already taken the steps above, you can go through the Azure Firewall Diagnostic Logs to understand if any particular Firewall rule is blocking the communication.

    Hope this helps! Please let me know if you have any additional questions. Thank you!

    ​​Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments