Hub and two Spoke vnets with AFW in Hub and traffic from Expressroute

Sepski, Krzysztof Antoni 20

Hello,

I have got problem with not going traffic via Azure Firewall from ExpressRoute to one of two spoke vnets(I don't see any traffic on Firewall logs but I can see traffic with tcpdump on VM in spoke). Traffic to on-prem via ExpressRoute works fine from both spoke vnets(and I can see logs in Firewall)
Could You please provide me with exemplary configuration how to set UDRs?
I already set on GatewaySubnet UDR - prefixes of two spokes(tried also one wide mask) via Firewall, on both Spokes UDR - prefixes of on prem subnets via Firewall and can't find any solution.

KapilAnanth-MSFT 47,046 Reputation points Microsoft Employee

2024-09-19T09:26:47.6233333+00:00
@Sepski, Krzysztof Antoni ,

This is strange.

Are you sure the Azure Firewall log query is correct?

Because, from your verbatim, it appears there is asymmetric routing and many times, Azure drops asymmetric traffic.

i.e., Both Azure to OnPrem and OnPrem to Azure should fail if asymmetric traffic is present.

As next steps,

In the GatewaySubnet's UDR, add a route for one of the Spoke's Subnet (not VNET) and point the nextHop as Azure Firewall.

I am just trying to make sure there aren't any longest prefix match overriding the UDR

Can you also confirm if there is no Azure Route Server on the VNET?

Cheers,

Kapil
KapilAnanth-MSFT 47,046 Reputation points Microsoft Employee

2024-09-23T17:43:34.73+00:00
@Sepski, Krzysztof Antoni ,

This should not be the case.

Ideally, if there is asymmetric routing, the packets should be dropped.

Can you please check the "Flow trace" logs?

More details here

The firewall logs show traffic through the firewall in the first attempt of a TCP connection, known as the SYN packet. However, such an entry doesn't show the full journey of the packet in the TCP handshake. As a result, it's difficult to troubleshoot if a packet is dropped, or asymmetric routing occurred. The Azure Firewall Flow Trace Log addresses this concern.

Also, kindly ensure you are querying the logs and not missing the traffic from OnPrem to Azure

You can query all Network Rules

And then filter out for OnPrem source in the result

For Troubleshooting,

Pick one VM from the SpokeVNET

In the GatewaySubnet's UDR, Create a route such that

VM's IP (/32) and nextHop is Azure Firewall NVA

See if this works and let us know.

Cheers,

Kapil

Accepted answer

KapilAnanth-MSFT 47,046 Reputation points Microsoft Employee

2024-09-18T11:56:28.9233333+00:00
@Sepski, Krzysztof Antoni ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to use Azure Firewall as NVA for traffic to and fro OnPrem via ExpressRoute.

From your verbatim,

Azure to OnPrem traffic passes via the Firewall

However, OnPrem to Azure traffic does not

Ideally, defining the Address space of the SpokeVNETs and nextHop as the Firewall's private IP should do the trick

See a similar set up here

Can you confirm Propagate gateway routes is set to "Enabled"?

May I ask if you are testing this by initiating traffic from OnPrem to the Azure?

Or you are worried that you are not seeing return traffic for Azure to OnPrem testing

Can you specify if you are using ExpressRoute FastPath?

Cheers,

Kapil
Please sign in to rate this answer.
Sepski, Krzysztof Antoni 20 Reputation points

2024-09-18T12:08:01.5766667+00:00

OnPrem to Azure - OnPrem to Spoke does not going via Azure Firewall.
I do have defined address spaces of the Spoke Vnets and nextHop Firewall on GatewaySubnet UDR. - It does not work somehow. - I cannot see logs on Azure Firewall, but I as I mentioned in other way Spoke -> OnPrem I can see logs and it works fine.
Propagate gateway routes was Enabled and Disabled (tried both) on Spoke routes and Enabled on GatewaySubnet
Problem is when initiating traffic from OnPrem to Azure
FastPath on ExpressRoute is Disabled

Sepski, Krzysztof Antoni 20 Reputation points

2024-09-19T14:13:11.7366667+00:00

Ok, I found the problem. It was the typo of the spoke subnet in the GatewaySubnet UDR.
Thanks, UDR on GatewaySubnet to spoke vnets via FW and UDR on spoke vnets to OnPrem via FW and everything works perfect.

KapilAnanth-MSFT 47,046 Reputation points Microsoft Employee

2024-09-23T17:46:43.6266667+00:00

@Sepski, Krzysztof Antoni ,

I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!

Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I shall summarize our discussion to an answer

I would greatly appreciate if you could Accept the answer and close this thread

Original posters help the community find answers faster by identifying the correct answer.

Thanks,

Kapil
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Hub and two Spoke vnets with AFW in Hub and traffic from Expressroute

0 additional answers

Your answer