Azure Firewall blocking traffic from Virtual Network Gateway

Ilian Felinto 0 Reputation points
2023-08-03T15:29:01.8733333+00:00

Hello All!

We have a VPN (Site-to-site) connecting our customers On-Prem network with our Azure environment. In this Azure environment we have a VNet containing two VMs. This VNet has an Azure Firewall associated to it. In the Firewall rules, we have DNAT Rules:
User's image

And Network Rules:User's image

The firewall has two public IP addresses, which are redirecting to VM1 (100.64.0.4) and VM2 (100.64.0.5) on the DNAT Rules.

And the third Network Rule is allowing traffic between the customers's Local Net (10.1.13.0/24) and our internal Subnet (100.64.0.0/24).

For some reason we cannot find out, the customer onPrem machines are not able to connect to VM1 and VM2 on the ports specified (80, 7000-7200).

If we disassociate the Firewall from our Subnet, the connection works. Thus the Firewall is blocking the connection from the OnPrem machines that comes from the VPN.

Is there any specific rule we need to setup in order to allow this?

Thanks for the help!

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,436 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
600 questions
Azure Firewall Manager
Azure Firewall Manager
An Azure service that provides central network security policy and route management for globally distributed, software-defined perimeters.
88 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. ChaitanyaNaykodi-MSFT 24,231 Reputation points Microsoft Employee
    2023-08-04T02:03:12.3333333+00:00

    @Ilian Felinto

    Thank you for reaching out.

    If I understand correctly, you are facing connectivity issue with your Azure firewall even though you have added the specific DNAT and Networking rules. If you disassociate the Firewall from our Subnet, the connection works, so the firewall is denying the connectivity.

    Is there any specific rule we need to setup in order to allow this?

    It will be difficult to suggest the exact rule you need to add to enable connectivity. As by default the firewall denies the traffic, it will be helpful if you could enable the Diagnostic logging for the firewall as these logs will give you an idea on which specific rule either Application, Network or DNAT is blocking the traffic. You can take a look at the log structure here for the specific firewall rule. After taking a look the msg property of the logs you will get an idea general idea on which specific rule needs to be added to enable connectivity. Just an FYI, when you enable diagnostic logging, usually there is a delay of ~30 mins before the logs start populating.

    Additionally, if you have NSGs deployed in your environment you can check they are blocking the connectivity after DNAT takes place in the Firewall.

    Hope this helps! Please let me know if the issue still persists. Thank you!

    ​​Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments
  2. msrini-MSFT 9,271 Reputation points Microsoft Employee
    2023-09-02T05:01:50.5433333+00:00

    Hi,

    When a DNAT rule is taking effect, it will have an implicit allow network rule and you don't need any explicit network rule.

    Since you have mentioned that you have On-Premises connected to your VNET via S2S, ideally traffic should be allowed based on the rules that you have mentioned in the screenshot.

    Can you take a look at the Network, Application logs and check if you can find the deny rule that it is hitting ?

    Regards,

    Karthik Srinivas

    0 comments