I have a S2S VPN via a Virtual Gateway. The Virtual Gateway is part of the VNET we have our Azure Firewall configured for.
The S2S VPN works fine and I can connect to the resources on the On-Premise side of the VPN from an Azure Machine within the VNET.
I would like all traffic to route through the Firewall from the Azure Machine, especially the traffic to the internet, but if I put a route of 0.0.0.0/0 on the Subnet of the Virtual Machine I can no longer connect to the resource on the On-Premise side of the VPN. I suspect it is because we have a Egress NAT on the S2S VPN due to overlapping Address range.
What routing configuration do I need to route traffic through the firewall and also over the VPN with the Egress NAT configured.
The Azure VNET Address = 10.10.0.0/16
The VM Subnet = 10.10.11.0/24
The Gateway Subnet = 10.10.0.0/24
The NAT Rule is Static - EgressSnat - 10.10.11.0/24 == 10.20.0.0/24
Without the 0.0.0.0/0 routing rule on the VM Subnet the VPN works fine. If I put the 0.0.0.0/0 route on that Subnet the VPN doesn't work, but without it I assume all the internet based traffic from the VM Subnet is not going through the firewall.
How can achieve both, the VPN working and the internet traffic going through the firewall.
I have seen reference to asymmetric routing mentioned in some articles and this could be causing the issue as the packet takes one path to the destination and another path on returning due to the Egress NAT. I’m just not sure how to fix this to get it working.
Any help or pointing in the right direction would be greatly appreciated.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 38%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAW%3C/text%3E%3C/svg%3E)
