Azure networking

N Wakchaure, Jagdish 120

We have a customer running on prem infra structure. The on prem production ip range has vnet gatway connected to azure using the express route. There are some servers in dmz at on prem which we need to move in azure.

So we created another vnet in azure and deployed watchgaurd in second rg and vnet. This vnet dosent have express route or site to site connectivity but there is peering in them. Now if we create the server in this second vnet how that traffic go outside internet through firewall. Can we associate nat gateway to subnet ? But how vm traffic will pass through watchgaurd? Watchgaurd has the public IP also. And where watchgaurd is place ther is no express route or site to site connectivity. Question is how we can pass through traffic from watch gaurd firewall from second vnet / subnet. Then to public.

1 answer

KapilAnanth-MSFT 44,311 Reputation points Microsoft Employee

2024-08-27T04:09:28.5666667+00:00
@N Wakchaure, Jagdish ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I am afraid I do not understand what your requirement here is.

From the newly created VNET, do you want the VMs' traffic to go to the NVA (Watchguard) ?

Is my understanding correct?

If so, NAT Gateway is not required

You just have to use UDRs and point the traffic towards the NVA

Attach a route table with 0.0.0.0/0 route with NextHopType as NVA and IP as the private IP of the NVA

To all the subnets of the newly created VNET.

You can refer to this where the NVA is the Azure Firewall

You can follow the steps mentioned here and instead of Azure Firewall's Private IP, you can use your NVA's IP

Cheers,

Kapil
Please sign in to rate this answer.
N Wakchaure, Jagdish 120 Reputation points

2024-08-27T09:32:48.8933333+00:00

hello Kapil

Thanks for your help.

'When i define a route as you suggested but with specific subnet with NextHop Type as my watchgaurd private IP.

I am only able to ping /tracert to watch gaurd ip from my that specific subnet VM but not other vm in other subnet which are part of same vnet. i should be able to ping all the VM withn all my subnets but also only for dmz subnet my outbound external internet traffic should go from firewall appliance.

_____-----------------------------------------------

I have two vnet as below

vnet01- 5 subnet including subnet for dmz - in different rg1

vnet02- watch guard configured with private/ public ip. in different rg2 , as watch guard required empty RG . so we created in separate RG.

so there two things here.

i should be able to ping all the vm within all subnets. vms under nnet01

however, my DMZ subnet vm should send outbound traffic from watch guard firewall only

also do i need to move dmz vm,s in another vnet or rg to achieve this

Regards

Jagdish

KapilAnanth-MSFT 44,311 Reputation points Microsoft Employee

2024-08-27T10:39:16.0266667+00:00

@N Wakchaure, Jagdish ,

Do you have UDR in both the subnets?

If so, routing is properly configured in the Azure side

You can use the "View effective routes" feature in both the VMs to check if the nextHop is properly configured.

Your initial verbatim did not mention anything about intraVNET traffic.

Note that this is a separate case, see : How Azure selects a route

When outbound traffic is sent from a subnet, Azure selects a route based on the destination IP address, using the longest prefix match algorithm.

i.e., Longest prefix match algorithm is preferred over a User-defined route

Only if multiple routes contain the same address prefix, User-defined route is preferred over System route

So, this means, for traffic within the Virtual network or Peered Virtual network, you should define the route as below

Create a route <VNET1AddressSpace> route with NextHopType as NVA and IP as the private IP of the NVA to all the subnets.

Create a route table with <VNET2AddressSpace> route with NextHopType as NVA and IP as the private IP of the NVA to all the subnets.

For traffic to Internet,

Attach a route with 0.0.0.0/0 route with NextHopType as NVA and IP as the private IP of the NVA

To address your query, "do i need to move dmz vm,s in another vnet or rg to achieve this"

Not required

As long as the two VNETs are peered, you should be able to define the routing

P.S : Also make sure your NVA is configured properly and you follow their configuration guide.

Enable IP Forwarding in the NVA's NIC.

Cheers,

Kapil
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Azure networking

1 answer

Your answer