Traffic not flowing via azure firewall when using site to site vpn

Anushankar Konduri 0

I have created a site-to-site connection between AWS and Azure. In Azure, I have a firewall in place. When the gateway connection is established, traffic is not flowing through the Azure firewall. However, when the gateway connection is disconnected or deleted, traffic flows through the firewall as expected.

Scenario: In the spoke VNet, I have created a VM. When the gateway connection is active, the VM is unable to access the internet. But when the gateway is disconnected, the VM can access the internet. A route has been added with 0.0.0.0/0 and the next hop set to the firewall IP.

Rohith Vinnakota 2,690 Reputation points Microsoft Vendor

2024-12-26T21:59:39.9466667+00:00

Hi @Anushankar Konduri

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

To achieve this, ensure that you add route tables to the subnet where the traffic is directed for the site-to-site connection. Additionally, include a route table in the gateway subnet, setting the next hop to the private IP of the firewall.

Note: Allow the traffic in the Azure Firewall.

Refer this link:
https://cloudcurve.co.uk/azure/how-to-route-site-to-site-vpn-traffic-via-azure-firewall/

If you have any further queries, do let us know.

Thanks,

Rohith

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Anushankar Konduri 0 Reputation points

2024-12-27T03:02:28.09+00:00

Hi @Rohith Vinnakota thanks for your response. I followed the same steps, adding the route to the gateway subnet as the Azure CIDR to the firewall's private IP, and for the spoke subnet, I set the AWS VPC CIDR with the firewall's IP as the next hop. However, traffic is not flowing through Azure Firewall.

Additionally, when the gateway connection is established, I'm unable to make any updates on the azure firewall.

Thanks.
Rohith Vinnakota 2,690 Reputation points Microsoft Vendor

2024-12-30T23:14:55.9333333+00:00

Hi @Anushankar Konduri

Greetings!

I have set up the lab on my end. I created the Hub VNet, which includes the firewall and the VPN gateway, and the spoke VNet, which communicates with the on-premises network.

To enable communication with the on-premises network from the spoke VNet, I peered it with the Hub VNet using 'Gateway Transit.'

Gateway Transit allows peered virtual networks to use the Azure VPN gateway in the Hub-RM.

Creating Gateway Transit, refer to this link: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit.

As mentioned in the previous comment, I created the routes. Then, I checked the firewall logs and confirmed that the traffic is reaching the firewall.

Note: Allow the traffic in the firewall and also add route on on-prem to spoke subnet.
Trace route from on-prem to spoke vnet.

10.20.2.8 is the firewall ip
Trace route from Spoke vnet to on-prem.

If above is unclear and/or you are unsure about something add a comment below.

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Regards,

Rohith
Anushankar Konduri 0 Reputation points

2024-12-31T04:53:19.11+00:00

Hi @Rohith Vinnakota
I followed the same configuration from Day 1 (https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit)

Snippet of tracert from Azure to AWS resource

And I had got to know from support is :

As per the logs I found that there were drops Today at 11:37 AM, 11:47 to 11:52 and 5:07 PM. Errors are showing the traffic selector mismatch and SA time out. Generally this types of errors occur when there is a policies mismatch in between Azure and on-prem. In this scenario the connection policies between Azure and the AWS are not matching. Can you please let me know whether if you are using the custom connection policies or the default ones.

Trying to fix this.
Anushankar Konduri 0 Reputation points

2024-12-31T04:59:10.2066667+00:00

Hi @Rohith Vinnakota
I followed the same document when I had setup the environment.

Below is the snippet of tracert from Azure to AWS

I had got to know the issue is related to some policy from support team. Trying to fix

As per the logs I found that there were drops Today at 11:37 AM, 11:47 to 11:52 and 5:07 PM. Errors are showing the traffic selector mismatch and SA time out. Generally this types of errors occur when there is a policies mismatch in between Azure and on-prem. In this scenario the connection policies between Azure and the AWS are not matching. Can you please let me know whether if you are using the custom connection policies or the default ones.
Rohith Vinnakota 2,690 Reputation points Microsoft Vendor

2025-01-03T01:17:29.6833333+00:00

Hi @Anushankar Konduri,

Sorry for delay.

Can you please let me know whether if you are using the custom connection policies or the default ones.

I'm using default ones.

Could you also verify whether the necessary traffic has been allowed through the firewall?

If above is unclear and/or you are unsure about something add a comment below.

Regards,
Rohith
Anushankar Konduri 0 Reputation points

2025-01-03T14:28:06.6833333+00:00

I'm using the default policies only and I had added any to any allow rule(wild card).
Rohith Vinnakota 2,690 Reputation points Microsoft Vendor

2025-01-06T08:13:17.5866667+00:00

Hi @Anushankar Konduri,

Sorry for delay.

This is strange. Can you try removing the route table and then attempt the RDP connection from Azure to on-premises without the Azure firewall?

If the RDP connection is successful, the issue may be with the route table. Also, please verify if the site-to-site VPN connection is properly established.

If above is unclear and/or you are unsure about something add a comment below.

Regards,

Rohith
Rohith Vinnakota 2,690 Reputation points Microsoft Vendor

2025-01-07T04:49:07.9766667+00:00

Hi @Anushankar Konduri

Greetings!

Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.

Regards,

Rohith.
Rohith Vinnakota 2,690 Reputation points Microsoft Vendor

2025-01-08T01:41:24.1833333+00:00

Hi @Anushankar Konduri

Greetings!

Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.

Regards,

Rohith.

1 answer

Sarthak Agarwal 1 Reputation point Microsoft Employee

2025-02-13T11:07:44.8633333+00:00

Hi Anushankar,

Please remove the default route (0.0.0.0/0) from any UDR you are using and then perform troubleshooting. Also, make sure no UDR is attached to the Azure Firewall subnet. If VPN is disconnecting, try collecting the VPN IKE logs from the AWS or Azure side(you can use Network watcher).
Post connection is successfully established please use Connection Troubleshoot from Network Watcher to troubleshoot connectivity.

Regards,
Sarthak, CSA, Microsoft.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Traffic not flowing via azure firewall when using site to site vpn

1 answer

Your answer