Hello, Recently I have create a system like below image I have config 3 VNET: VNET test(10.19.0.0/16) : in this vnet, I config a subnet(10.19.0.0/24) and a test VM (OS window server 2022) with a public IP named publicIPDev. I want to remote to this test VM, then connect VPN Site-to-Site to Hub, then connect remote desktop to VM on VNET Spoke VNET hub(10.18.0.0/16): in this vnet, I config 3 subnets: Subnet for VPN (10.18.2.0/24): this subnet I also create a VPN Site-to-Site Subnet for Firewall(10.18.1.0/24): this subnet I also create a Firewall. The firewall rule configuration is: Basic firewall SKU Assigned a public IP Not enabled Firewall Management NIC Use basic firewall policy. Create a network rule collection. Select allow. then create a rule like below: Name: AllowRDP rule Protocol: TCP Source type , IP address . Source: 10.18.0.0/24. - this is address space of vnetHub Destination type ,: IP address . Destination Address: 10.12.0.0/16 . - this is address space of vnetSpoke Destination Ports : 3389 . Subnet for testing(10.18.0.0/24): this subnet I create a VM called VMHub , this VM is just assigned a private IP (10.18.0.4) VNET spoke(10.12.0.0/16): This subnet I config a subnet(10.12.0.0/24). In this subnet, I also create a VM called VMSpoke , this VM is just assigned a private IP (10.12.0.4) VNET hub and VNET spoke is also peer. I follow instruction to create peering in this link https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit I also config 2 route table: A route table UDR hub to spoke , I set as below I set a route with below config: Destination type: IP addresses Destination IP addresses/CIDR range: 10.12.0.0/16 - this is Vnet spoke address space Next hop type: Virtual appliance Next hop address: Firewall's private IP Attach to Subnet for VPN (10.18.2.0/24) A route table UDR default route . I understand that this default route will allow outbound traffic for VM in Vnet Spoke. I set as below I set a route with below config: Destination type: IP addresses Destination IP addresses/CIDR range: 0.0.0.0/0 Next hop type: Virtual appliance Next hop address: Firewall's private IP Attach to Subnet of Vnet Spoke (10.12.2.0/24) In test VM , I config and connect successfully to VPN. And from there, I can connect Remote desktop to VMHub via private IP: 10.18.0.4 However, I cannot connect Remote desktop to VMSpoke via private IP: 10.12.0.4. The VM VMSpoke's port 3389 is opened. When I connect from testVM through VPN to VMHub , in VMHub i can conenct remote desktop to VMSpoke Please help me to review my configuration

@lucas , Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well In the Route Table " UDR default route ", Please add a more specific route, VNET Test's address range to be precise. In the peering between the two VNETs, make sure "Allow 'vnet-2' to receive forwarded traffic from 'vnet-1'" is enabled on both the peering. Once done, try to initiate traffic from the VMTest to VMSpoke, And see if the traffic is logged at the firewall This will tell us if the traffic is reaching the VNET Hub or not And if the Firewall allows/denies the traffic Cheers, Kapil

Hub, Spoke - S2S VPN Trafice via Azure Firewall

lucas 25

Hello,

Recently I have create a system like below image

devops-flow-Page-223 (1)

I have config 3 VNET:

VNET test(10.19.0.0/16) : in this vnet, I config a subnet(10.19.0.0/24) and a test VM (OS window server 2022) with a public IP named publicIPDev. I want to remote to this test VM, then connect VPN Site-to-Site to Hub, then connect remote desktop to VM on VNET Spoke
VNET hub(10.18.0.0/16): in this vnet, I config 3 subnets:
1. Subnet for VPN (10.18.2.0/24): this subnet I also create a VPN Site-to-Site
2. Subnet for Firewall(10.18.1.0/24): this subnet I also create a Firewall. The firewall rule configuration is:
  1. Basic firewall SKU
  2. Assigned a public IP
  3. Not enabled Firewall Management NIC
  4. Use basic firewall policy.
  5. Create a network rule collection. Select allow. then create a rule like below:
    1. Name: AllowRDP rule
    2. Protocol: TCP
    3. Source type, IP address.
    4. Source: 10.18.0.0/24. - this is address space of vnetHub
    5. Destination type,:IP address.
    6. Destination Address: 10.12.0.0/16. - this is address space of vnetSpoke
    7. Destination Ports: 3389.
3. Subnet for testing(10.18.0.0/24): this subnet I create a VM called VMHub, this VM is just assigned a private IP (10.18.0.4)
VNET spoke(10.12.0.0/16): This subnet I config a subnet(10.12.0.0/24). In this subnet, I also create a VM called VMSpoke, this VM is just assigned a private IP (10.12.0.4)

VNET hub and VNET spoke is also peer. I follow instruction to create peering in this link https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit

I also config 2 route table:

A route table UDR hub to spoke, I set as below
1. I set a route with below config:
  1. Destination type: IP addresses
  2. Destination IP addresses/CIDR range: 10.12.0.0/16 - this is Vnet spoke address space
  3. Next hop type: Virtual appliance
  4. Next hop address: Firewall's private IP
2. Attach to Subnet for VPN (10.18.2.0/24)
A route table UDR default route. I understand that this default route will allow outbound traffic for VM in Vnet Spoke. I set as below
1. I set a route with below config:
  1. Destination type: IP addresses
  2. Destination IP addresses/CIDR range: 0.0.0.0/0
  3. Next hop type: Virtual appliance
  4. Next hop address: Firewall's private IP
2. Attach to Subnet of Vnet Spoke (10.12.2.0/24)

In test VM, I config and connect successfully to VPN. And from there, I can connect Remote desktop to VMHub via private IP: 10.18.0.4

However, I cannot connect Remote desktop to VMSpoke via private IP: 10.12.0.4.

The VM VMSpoke's port 3389 is opened. When I connect from testVM through VPN to VMHub, in VMHub i can conenct remote desktop to VMSpoke

Please help me to review my configuration

lucas 25 Reputation points

2025-01-06T14:24:45.58+00:00

Thank @KapilAnanth-MSFT
I will try and give you feedback
Silvia Wibowo 4,926 Reputation points Microsoft Employee

2025-01-07T00:50:48.4366667+00:00
Hi @lucas , you created a network rule for your Azure Firewall to AllowRDP from:

Source: 10.18.0.0/24 (vnetHub subnet test)

Destination Address: 10.12.0.0/16 (vnetSpoke)

Destination Ports: 3389

You need to create another network rule similar to that, allowing:

Source: 10.19.0.0/16 (vnetTest)

Destination Address: 10.12.0.0/16 (vnetSpoke)

Destination Ports: 3389

For routing table:

Does your Azure Firewall know the route to reach vnetTest (10.19.0.0/16)? You may need to add the entry on its route table, with next hop: Vnet Gateway.

Does VM Test know the route to reach vnetSpoke (10.12.0.0/16)? How did you create S2S VPN connection from vnetTest to vnetHub?

Did you use a VPN Gateway and local network gateway in vnetTest? You may need to add vnetSpoke's CIDR as address space of local network gateway in vnetTest.

If you use VPN Gateway with vnet-to-vnet connection, local network gateway is not configurable. You'd need to use Azure Firewall's DNAT rule to reach VM Spoke: VM Test RDP to Firewall's private IP address (10.18.1.4) -> DNAT rule to VM Spoke.

Please let me know if you have questions.
lucas 25 Reputation points

2025-01-07T06:50:13.74+00:00
Hello @Silvia Wibowo ,

Thank you for support me

I created 2 network rule like you suggest, the VNET test I changed from 10.19.0.0/16 to 172.22.0.0/16

I deleted 2 old UDR, and create 3 new route table:

hubRouteTable, below is the config of 2 routes:

First route:

Destination type: IP addresses

Destination IP addresses/CIDR range: 10.12.0.0/16 - this is Vnet spoke address space

Next hop type: Virtual appliance

Next hop address: Firewall's private IP

Second route

Destination type: IP addresses

Destination IP addresses/CIDR range: 172.22.0.0/16 - this is Vnet test address space

Next hop type: Virtual appliance

Next hop address: Firewall's private IP

Attach to Subnet of VPN (10.18.2.0/24). This subnet is inside VNet Hub

spokeRouteTable, below is the config of a route:

Destination type: IP addresses

Destination IP addresses/CIDR range: 172.22.0.0/24 - this is Vnet test address space

Next hop type: Virtual appliance

Next hop address: Firewall's private IP

Attach to Subnet of VPN (10.12.2.0/24). This subnet is inside VNet Spoke

onpremiseRouteTable, below is the config of a route:

Destination type: IP addresses

Destination IP addresses/CIDR range: 10.12.0.0/16 - this is Vnet spoke address space

Next hop type: Virtual appliance

Next hop address: Firewall's private IP

Attach to Subnet of test subnet (172.22.0.0/24)

I also changed the local network gateway, I add 2 address spaces

However, when I try to create a Site-to-Site connection, I got below error

For the config of VPN on VM test(Vnet test), I follow the video https://youtu.be/_sXNMpelCAo?t=963

I set up and checked that the VPN work fine, because inside VNet HUB, I created a VM in VnetHub with private IP, then on VM test (Vnet test), by conencting to VPN, I can remote desktop to VM in VnetHub via private IP
lucas 25 Reputation points

2025-01-07T09:42:41.0166667+00:00

Thank you @KapilAnanth-MSFT and @Silvia Wibowo

It works. I will post answer below and mark as acepted answer
KapilAnanth-MSFT 48,261 Reputation points Microsoft Employee

2025-01-07T10:23:04.95+00:00

@lucas , Glad we could be of assistance.

Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I have summarized our comments into an Answer.

I would greatly appreciate if you could "Accept" the answer and close this thread.

Original posters help the community find answers faster by identifying the correct answer.

Thanks,

Kapil

Accepted answer

KapilAnanth-MSFT 48,261 Reputation points Microsoft Employee

2025-01-06T13:02:00.7533333+00:00
@lucas ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well

In the Route Table "UDR default route",

Please add a more specific route, VNET Test's address range to be precise.

In the peering between the two VNETs, make sure
"Allow 'vnet-2' to receive forwarded traffic from 'vnet-1'"
is enabled on both the peering.

Once done, try to initiate traffic from the VMTest to VMSpoke,

And see if the traffic is logged at the firewall

This will tell us if the traffic is reaching the VNET Hub or not

And if the Firewall allows/denies the traffic

Cheers,

Kapil
Please sign in to rate this answer.
lucas 25 Reputation points

2025-01-06T18:28:45.28+00:00

Hello @KapilAnanth-MSFT

I have try to add address space of testVM in the Route Table "UDR default route",

I also try to assign an public IP to VM on Spoke Vnet, and try the tracert command to private IP of test VM

tracert 172.22.0.6 (this is private IP of test VM). The first hop IP 10.18.1.5 - I guess this is privatte IP of firewall

In the VM test, I also try tracert command

tracert 10.12.0.4 (this is private IP of VM on spoke VNET), but it cannot trace

In the peering between spoke and hub, I have setup "Allow 'vnet-2' to receive forwarded traffic from 'vnet-1'" for both VNET

Could you help me to check this?

KapilAnanth-MSFT 48,261 Reputation points Microsoft Employee

2025-01-07T06:43:09.87+00:00

@lucas ,

1 . As mentioned by Silvia Wibowo, can you please update the firewall rules

The source should be the IP/Address range of the TestVM/TestVNET and not VNETHub

Destination should be the IP Address of the Spoke VM.

2 . In the peering, please make sure "Allow Gateway Transit" is enabled.

In the Peering from Hub : Allow gateway or route server in 'VNET Hub' to forward traffic to the peered virtual network: Select the checkbox.

In the Peering from Spoke : Enable 'VNET Spoke' to use 'VNET Hub's' remote gateway or route server: Select the checkbox.

And repeat the tests. If the issue prevails,

3 . In both the cases,

Can you please check the firewall logs

It will tell you whether or not the packet was allowed or denied.

Or atleast whether or not the Firewall saw the packet

Cheers,

Kapil

lucas 25 Reputation points

2025-01-07T07:56:43.2+00:00

Hello @KapilAnanth-MSFT

Thank you for your support.

I have deleted the old test vnet(10.19.0.0/16) and create new test vnet (172.22.0.0/16)

I have update the firewall rule:

The source is from test VNET(172.22.0.0/16) and the destination is spoke vnet (10.12.0.0/16)

I also delete route tables and create 3 new routes table:

hubRouteTable. This route table attach to gateway subnet (10.18.2.0/24) of hub vnet (10.18.0.0/16) and contains 2 routes:

route to spoke:

Destination type: IP addresses

Destination IP addresses/CIDR range: 10.12.0.0/16 - this is spoke Vnet address space

Next hop type: Virtual appliance

Next hop address: Firewall's private IP

route to test vnet

Destination type: IP addresses

Destination IP addresses/CIDR range: 172.22.0.0/16 - this is test Vnet address space

Next hop type: Virtual Network Gateway

onpremiseRouteTable This route table attach to subnet (172.22.0.0/24) of test vnet (172.22.0.0/16) and contains 1 route:

Destination type: IP addresses

Destination IP addresses/CIDR range: 10.12.0.0/24- his is spoke Vnet address space

Next hop type: Virtual Network Gateway

spokeRouteTable This route table attach to subnet (10.18.0.0/24) of test vnet (10.18.0.0/16) and contains 1 route:

Destination type: IP addresses

Destination IP addresses/CIDR range: 172.22.0.0/16 - this is test Vnet address space

Next hop type: Virtual appliance

Next hop address: Firewall's private IP

For creating VPN site to site, I follow this video guide

https://youtu.be/_sXNMpelCAo?t=987

The VPN works fine when I connect VPN from test VM in test vnet (172.22.0.0/16) to a VM (only private IP 10.18.0.4) on hub vnet (10.18.0.0/16). But i can't connect to VM on spoke vnet (10.12.0.0/16)

Below is config peering:

peering to spoke from hub

peering to hub from spoke

KapilAnanth-MSFT 48,261 Reputation points Microsoft Employee

2025-01-07T08:36:06.0266667+00:00

@lucas , You are welcome.

Wrt route tables,

In "hubRouteTable", delete the route "b"

This is redundant and non-needed, as the VPN Gateway is already aware of the OnPrem range "172.22.0.0/16"

Moreover, attaching a route table with nextHop as VirtualNetworkGateway on GatewaySubnet is not the right approach.

In "spokeRouteTable", I believe you meant to say "subnet (10.12.0.0/24) of spoke vnet (10.12.0.0/16)"

In the VM Test, I believe you are using RRAS,

Make sure the configuration is correct here.

Make sure you add both the routes "10.18.0.0/16" and "10.12.0.0/16" from the RRAS side.

Not just "10.18.0.0/16"

And please check the Azure Firewall logs, this will help us isolate whether or not the traffic reached the Firewall and if it was dropped or allowed

Cheers,

Kapil

lucas 25 Reputation points

2025-01-07T10:01:19.68+00:00

Thanks support from @KapilAnanth-MSFT and @Silvia Wibowo, It works.Below is configuration step:

The firewall rule need to config a network rule from test Vnet to spoke Vnet:

Follow this guide to configurate Peering between Spoke and Hub

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit

In the Peering from Hub : Allow gateway or route server in 'VNET Hub' to forward traffic to the peered virtual network: Select the checkbox.

In the Peering from Spoke : Enable 'VNET Spoke' to use 'VNET Hub's' remote gateway or route server: Select the checkbox.

Create 2 route tables:

hubRouteTable. This route table attach to gateway subnet (10.18.2.0/24) of hub vnet (10.18.0.0/16) and contains 1 routes:

Destination type: IP addresses

Destination IP addresses/CIDR range: 10.12.0.0/16 - this is spoke Vnet address space

Next hop type: Virtual appliance

Next hop address: Firewall's private IP

spokeRouteTable This route table attach to subnet (10.18.0.0/24) of test vnet (10.18.0.0/16) and contains 1 route:

Destination type: IP addresses

Destination IP addresses/CIDR range: 172.22.0.0/16 - this is test Vnet address space

Next hop type: Virtual appliance

Next hop address: Firewall's private IP

Create Site To Site VPN: please follow the video guide https://youtu.be/_sXNMpelCAo?t=963 .

On the step Static Routes, please add address space of hub and spoke

Hope this help
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Hub, Spoke - S2S VPN Trafice via Azure Firewall

0 additional answers

Your answer