Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,608 questions
Traffic not flowing via azure firewall when using site to site vpn
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 34%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAK%3C/text%3E%3C/svg%3E)
Anushankar Konduri
0
Reputation points
I have created a site-to-site connection between AWS and Azure. In Azure, I have a firewall in place. When the gateway connection is established, traffic is not flowing through the Azure firewall. However, when the gateway connection is disconnected or deleted, traffic flows through the firewall as expected.
Scenario: In the spoke VNet, I have created a VM. When the gateway connection is active, the VM is unable to access the internet. But when the gateway is disconnected, the VM can access the internet. A route has been added with 0.0.0.0/0 and the next hop set to the firewall IP.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 17%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERV%3C/text%3E%3C/svg%3E)
Rohith Vinnakota 1,780 Reputation points Microsoft Vendor2024-12-26T21:59:39.9466667+00:00 Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.
To achieve this, ensure that you add route tables to the subnet where the traffic is directed for the site-to-site connection. Additionally, include a route table in the gateway subnet, setting the next hop to the private IP of the firewall.
Note: Allow the traffic in the Azure Firewall.
Refer this link:
https://cloudcurve.co.uk/azure/how-to-route-site-to-site-vpn-traffic-via-azure-firewall/If you have any further queries, do let us know.
Thanks,
Rohith
Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
-
Anushankar Konduri 0 Reputation points
2024-12-27T03:02:28.09+00:00 Hi @Rohith Vinnakota thanks for your response. I followed the same steps, adding the route to the gateway subnet as the Azure CIDR to the firewall's private IP, and for the spoke subnet, I set the AWS VPC CIDR with the firewall's IP as the next hop. However, traffic is not flowing through Azure Firewall.
Additionally, when the gateway connection is established, I'm unable to make any updates on the azure firewall.
Thanks.
-
Rohith Vinnakota 1,780 Reputation points Microsoft Vendor
2024-12-30T23:14:55.9333333+00:00 Greetings!
I have set up the lab on my end. I created the Hub VNet, which includes the firewall and the VPN gateway, and the spoke VNet, which communicates with the on-premises network.
To enable communication with the on-premises network from the spoke VNet, I peered it with the Hub VNet using 'Gateway Transit.'
Gateway Transit allows peered virtual networks to use the Azure VPN gateway in the Hub-RM.
Creating Gateway Transit, refer to this link: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit.
As mentioned in the previous comment, I created the routes. Then, I checked the firewall logs and confirmed that the traffic is reaching the firewall.
Note: Allow the traffic in the firewall and also add route on on-prem to spoke subnet.
Trace route from on-prem to spoke vnet.10.20.2.8 is the firewall ip
Trace route from Spoke vnet to on-prem.
If above is unclear and/or you are unsure about something add a comment below.
Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Regards,
Rohith
-
Anushankar Konduri 0 Reputation points
2024-12-31T04:53:19.11+00:00 Hi @Rohith Vinnakota
I followed the same configuration from Day 1 (https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit)Snippet of tracert from Azure to AWS resource
And I had got to know from support is :
As per the logs I found that there were drops Today at 11:37 AM, 11:47 to 11:52 and 5:07 PM. Errors are showing the traffic selector mismatch and SA time out. Generally this types of errors occur when there is a policies mismatch in between Azure and on-prem. In this scenario the connection policies between Azure and the AWS are not matching. Can you please let me know whether if you are using the custom connection policies or the default ones.
Trying to fix this.
-
Anushankar Konduri 0 Reputation points
2024-12-31T04:59:10.2066667+00:00 Hi @Rohith Vinnakota
I followed the same document when I had setup the environment.Below is the snippet of tracert from Azure to AWS
I had got to know the issue is related to some policy from support team. Trying to fix
As per the logs I found that there were drops Today at 11:37 AM, 11:47 to 11:52 and 5:07 PM. Errors are showing the traffic selector mismatch and SA time out. Generally this types of errors occur when there is a policies mismatch in between Azure and on-prem. In this scenario the connection policies between Azure and the AWS are not matching. Can you please let me know whether if you are using the custom connection policies or the default ones.
-
Rohith Vinnakota 1,780 Reputation points Microsoft Vendor
2025-01-03T01:17:29.6833333+00:00 Sorry for delay.
Can you please let me know whether if you are using the custom connection policies or the default ones.
I'm using default ones.
Could you also verify whether the necessary traffic has been allowed through the firewall?
If above is unclear and/or you are unsure about something add a comment below.
Regards,
Rohith -
Anushankar Konduri 0 Reputation points
2025-01-03T14:28:06.6833333+00:00 I'm using the default policies only and I had added any to any allow rule(wild card).
-
Rohith Vinnakota 1,780 Reputation points Microsoft Vendor
2025-01-06T08:13:17.5866667+00:00 Sorry for delay.
This is strange. Can you try removing the route table and then attempt the RDP connection from Azure to on-premises without the Azure firewall?
If the RDP connection is successful, the issue may be with the route table. Also, please verify if the site-to-site VPN connection is properly established.
If above is unclear and/or you are unsure about something add a comment below.
Regards,
Rohith
-
Rohith Vinnakota 1,780 Reputation points Microsoft Vendor
2025-01-07T04:49:07.9766667+00:00 Greetings!
Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.
Regards,
Rohith.
-
Rohith Vinnakota 1,780 Reputation points Microsoft Vendor
2025-01-08T01:41:24.1833333+00:00 Greetings!
Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.
Regards,
Rohith.
Sign in to comment
Sign in to answer