This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 2%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
Hi,
I have an strange issue with az firewall. We have deployed it in a hub an spoke arquitecture. We have configured different route tables that forze the traffic between different vnets and subnets thought it.
To deploy different rules we have been using ipgroups. As we have been reading there is an explicit rule that if there is no rule that match,traffic will be dropped.
Surpringly we have discovered that machines could connect to SQL server wherever it's are located, traffic is not allowed in firewall rules, but all VMS frontend could connect to databases. There are configured an explicit rule in all route tables for every subnet that forze route default 0.0.0.0 to the appliance.
Also, as firewall level log, this traffic is not matched and neither logged, but having a looked at network trace, we could check that traffic goes to firewall.
Have anyone had any problem similar to it? We have also thought that there could be a bug or issue using ipgroups instead of numerical ips, but we haven't found any answer or idea about it.
I'll appreciate your suggestions.
Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 98%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHR%3C/text%3E%3C/svg%3E)
Verify traffic with Azure Network Watcher how traffic routed from frontend to databases.
Check if NSG rule is allowed on database VM
Thanks for your quick answer.
We have also checked using this tool the path and it is routed to az firewall,it appears as next hop as we expect.
Surprisingly it only happens with sql server (all in different subscriptions but not with oracle,postgre etc...)
Our rules are configured at firewall level only as different vnets haven't been peered between them.