VNETs in different subscriptions not communicating with Azure Firewall

Mathew Miller 0 Reputation points
2024-08-27T18:06:54.3866667+00:00

Having a head scratcher.

Layout:

Subscription 1:

Includes: VNET A, VPN Gateway to Data Center, Firewall with Policy.

Subscription 2:

Includes: VNET B, computer Resources

Spinning up a VM in VNET A I can communicate out and to the Data Center through the VPN gateway, which relying on the Firewall. So looking at that everything in Subscription 1 it communicates correctly with the rest of the on-premises infrastructure. Peering both VNET A & B the connection established and shows healthy, despite the peering as soon as I put a compute resource in VNET B it will not communicate with the compute resource in VNET A, or to on premise. A route table with next hop to Firewall is not working either. I am probably just missing something very small and I can not put my finger on it.

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,514 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
653 questions
Azure
Azure
A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.
1,175 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,401 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. ChaitanyaNaykodi-MSFT 25,841 Reputation points Microsoft Employee
    2024-08-29T19:25:39.6866667+00:00

    @Mathew Miller

    Thank you for getting back and sharing additional details.

    From the Vnet A route screenshot above.

    I see you have added a /23 prefix to the next hop as Firewall private IP

    User's image

    This should be the route which will direct VNET B traffic via Azure Firewall Private IP address and should be associated with Gateway subnet of VNET A. (As implemented here)

    Based on your statement above Subnet is the entire /25 in that VNET. I assume VNET B has /25 address prefix, so in the route above the Address prefix should be this /25 prefix of VNET B.

    In order to validate if you the correct route is selected, you can use this Next hop feature of Azure Network Watcher. Next hop is a feature of Azure Network Watcher that gives you the Next hop type, IP address, and Route table ID of a specific destination IP address. Knowing the next hop information helps you determine if traffic is being directed to the intended destination, or whether the traffic is being dropped. An improper configuration of routes, where traffic is directed to an on-premises location or a network virtual appliance can lead to connectivity issues. Check the next hop from both the VNETS A and B's Virtual Machines.

    Hope this helps! Thanks!

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.