Routing internet traffic through NVA

Ankith 0

I have 2 subnets in my Vnet and in one of the subnet I have a NVA with ip forwarding enabled in the NIC as well as in the OS this also has a public ip so that I can ssh to it from my pc, the second subnet has a vm running in it, and also has a public ip for ssh, How do i make all the internet traffic to flow through the NVA before reaching the second subnet.
I tried adding a route table to the second subnet specifying that if the destination is the CIDR of second subnet, then next hop is virtual appliance (NVA) but that just disconnected my ssh connection to the vm in the second subnet and now im not able to ssh to it

Ravi Kanth Koppala 3,231 Reputation points Microsoft Employee

2023-12-23T10:19:05.55+00:00
@Ankith

To make all internet traffic flow through the NVA before reaching the second subnet, you need to create a route table and associate it with the second subnet. In the route table, create a user-defined route (UDR) with the destination CIDR block of 0.0.0.0/0 and the next hop type as Virtual Appliance. Then, associate the route table with the second subnet.

However, since you mentioned that adding a route table to the second subnet disconnected your SSH connection to the VM in the second subnet, it's possible that the UDR you created in the route table is not configured correctly. Make sure that the next hop type is set to Virtual Appliance and the next hop address is set to the private IP address of the NVA NIC that is connected to the second subnet.

Also, ensure that IP forwarding is enabled in the operating system of the NVA VM. If IP forwarding is not enabled, the NVA will not be able to forward traffic to the second subnet.

References:

Tutorial: Route network traffic with a route table using the Azure portal

Troubleshoot Azure Route Server issues

AI Note: This answer is generated using the Microsoft Q&A AI Assist.
KapilAnanth-MSFT 39,211 Reputation points Microsoft Employee

2024-01-03T13:01:52.96+00:00
@Ankith

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

Can you please elaborate your use case?

Are you looking forward to route all traffic from VM to Internet flow through the NVA?

or

Are you looking forward to route all traffic from Internet to VM to flow through this NVA before reaching this VM?

Cheers,

Kapil
KapilAnanth-MSFT 39,211 Reputation points Microsoft Employee

2024-01-04T12:01:55.9366667+00:00

@Ankith

May I know if you got a chance to review my previous comment?

Please let me know if you are facing any challenges or if there are any follow-up questions, I shall be glad to address them.

Thanks,

Kapil

1 answer

msrini-MSFT 9,266 Reputation points Microsoft Employee

2023-12-23T20:12:11.4433333+00:00

Hi,

Currently the path is Asymmetric and hence your ssh session is getting dropped. Your traffic to the VM is over its public IP and you have added a UDR to forward traffic to NVA and when NVA SNATs and sends it back to client, it gets dropped.

You will need to add a UDR rule where if your source is your client public IP next hop as internet and associate that to the VM subnet to which you are trying to ssh.

Regards,

Karthik Srinivas
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Share via

Routing internet traffic through NVA

1 answer