hi My Architecture design On-premise Sophos firewall configuration site to site VPN (Azure) established static route configure 10.60.0.0/16 windows server(172.16.16.0/24) AZURE - Hub and Spoke design HUB VNet -Deployed (10.50.0.0/16) Azure firewall - (10.50.0.0/26) VPN Gateway -(10.50.1.0/27) SPOKE VNet Deployed (10.60.0.0/16) VM - (10.60.0.0/24) Setup Configured VPN-Gateway Deployed Local Gateway deployed Site 2 Site VPN connection established Peering Hub-VNet to Spoke VNet establish (using Gateway transits) Routing table configuration HUB -routing destination address (10.60.0.0/16) ->next hope -> azure firewall Private IP Associated Subnet HUB Gateway Subnet Spoke-Routing any traffic spoke pass through Azure Firewall destination address (0.0.0.0/16) ->next hope -> azure firewall Private IP Associated Subnet Spoke Subnet VM I'm trying to connect RDP (azure VM spoke 10.60.0.4) from On-premise windows server connection not establish but ping azure firewall private address working (10.50.0.4) kindly need support how i can connect spoke VM from On-premise

Hello @Rijo Joy , Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well. I understand that you have a hybrid network setup with site-to-site VPN connection between Azure and on-premises and the Azure network has a hub and spoke topology. You have setup the route tables for the traffic routing from your on-premises to the spoke Vnet, but it is not working and you are unable to RDP into the spoke VM from your on-premises machine. This setup is documented in the below article: Refer: https://learn.microsoft.com/en-us/azure/firewall/tutorial-hybrid-portal-policy Please validate the Prerequisites section below, You need to make sure that the Vnet peering between the hub Vnet and Spoke Vnet has "Gateway Transit" enabled. To route all spoke Vnet traffic to the Azure Firewall, you need a UDR on the spoke Vnet subnets with destination 0.0.0.0/0 pointing to next hop Azure Firewall with Virtual network gateway route propagation option disabled. And a UDR on the hub gateway subnet with destination as the spoke Vnet address space pointing to the next hop Azure Firewall IP address. Lastly, you also need to configure network rule within the Azure Firewall to allow RDP traffic to the spoke Vnet, where source should be your on-premises network as below: Name , type AllowRDP . For Source type , select IP address . For Source , type the address space of your on-premises network . For Protocol , select TCP . For Destination Ports , type 3389 . For Destination type , select IP address . For Destination , type the address space of your spoke Vnet Select Add . Refer: https://learn.microsoft.com/en-us/azure/firewall/tutorial-hybrid-portal-policy#configure-network-rules Please validate if all the above configurations have been added correctly to your setup. Kindly let us know if the above helps or you need further assistance on this issue. Please " Accept the answer " if the information helped you. This will help us and others in the community as well.

how to configure traffic pass through onpermis firewall to azure firewall

Accepted answer

GitaraniSharma-MSFT 49,651 Reputation points Microsoft Employee

2024-04-02T11:10:31.7166667+00:00
Hello @Rijo Joy ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you have a hybrid network setup with site-to-site VPN connection between Azure and on-premises and the Azure network has a hub and spoke topology. You have setup the route tables for the traffic routing from your on-premises to the spoke Vnet, but it is not working and you are unable to RDP into the spoke VM from your on-premises machine.

This setup is documented in the below article:

Refer: https://learn.microsoft.com/en-us/azure/firewall/tutorial-hybrid-portal-policy

Please validate the Prerequisites section below,

You need to make sure that the Vnet peering between the hub Vnet and Spoke Vnet has "Gateway Transit" enabled.

To route all spoke Vnet traffic to the Azure Firewall, you need a UDR on the spoke Vnet subnets with destination 0.0.0.0/0 pointing to next hop Azure Firewall with Virtual network gateway route propagation option disabled.

And a UDR on the hub gateway subnet with destination as the spoke Vnet address space pointing to the next hop Azure Firewall IP address.

Lastly, you also need to configure network rule within the Azure Firewall to allow RDP traffic to the spoke Vnet, where source should be your on-premises network as below:

Name, type AllowRDP.

For Source type, select IP address.

For Source, type the address space of your on-premises network.

For Protocol, select TCP.

For Destination Ports, type 3389.

For Destination type, select IP address.

For Destination, type the address space of your spoke Vnet

Select Add.

Refer: https://learn.microsoft.com/en-us/azure/firewall/tutorial-hybrid-portal-policy#configure-network-rules

Please validate if all the above configurations have been added correctly to your setup.

Kindly let us know if the above helps or you need further assistance on this issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.
Rijo Joy 60 Reputation points

2024-04-02T11:17:02.0833333+00:00

Yes I done Also i do the firewall network rule source ip windows server 172.16.17.0/24 Destination 10.60.0.0/24 port 3389 TCP But not working As you mentioned above architecture I done lab it's working fine ( vent to Vnet ) but (sit to site) on permission not working

Rijo Joy 60 Reputation points

2024-04-02T11:17:40.4033333+00:00

Yes I done Also i do the firewall network rule source ip windows server 172.16.16.0/24 Destination 10.60.0.0/16port 3389 TCP But not working As you mentioned above architecture I done lab it's working fine ( vent to Vnet ) but (sit to site) on permission not working

GitaraniSharma-MSFT 49,651 Reputation points Microsoft Employee

2024-04-02T12:06:30.9733333+00:00

Hello @Rijo Joy ,

I see you mentioned, "Spoke-Routing any traffic spoke pass through Azure Firewall destination address (0.0.0.0/16) ->next hop -> azure firewall Private IP Associated Subnet Spoke Subnet VM",

Could you please the destination to 0.0.0.0/0 in this UDR?

Also, could you please confirm if the Virtual network gateway route propagation option is disabled on the UDR associated to the spoke subnets or not? Refer: https://learn.microsoft.com/en-us/azure/virtual-network/manage-route-table#create-a-route-table

Could you also share a screenshot of the Vnet peering configuration between the hub and spoke Vnet?

Regards,

Gita

Rijo Joy 60 Reputation points

2024-04-02T12:27:42.2633333+00:00

Could you please the destination to 0.0.0.0/0 in this UDR? yes

i create route for spoke VNet all traffic spoke routed to azure firewall disable gateway route propagation

Hub -to-Spoke

Spoke -to -Hub

GitaraniSharma-MSFT 49,651 Reputation points Microsoft Employee

2024-04-02T16:22:28.5466667+00:00

Hello @Rijo Joy ,

Is there any UDR on the Azure Firewall subnet?

Could you please check if there is any NSG blocking the RDP traffic on the spoke subnets or VMs?

Regards,

Gita

Rijo Joy 60 Reputation points

2024-04-02T16:25:51.8033333+00:00

Azure firewall subnet no UDR only UDR gateway subnet , rdp allowed inbound port rool for any network ,, my traffic reach up to firewall I can ping

GitaraniSharma-MSFT 49,651 Reputation points Microsoft Employee

2024-04-02T16:46:07.65+00:00

Hello @Rijo Joy , since the traffic is reaching till the Firewall, the only places that we need to check are the Firewall itself, the spoke Vnet/VM and the Vnet peering configuration.

We already confirmed the below:

Vnet peering has transit gateway enabled.

there is no UDR on the Firewall subnet

Virtual network gateway route propagation option is disabled on the UDR associated to the spoke subnets.

Azure Firewall has the network rule configured to allow RDP traffic.

And there is no NSG on the spoke Vnet blocking the traffic.

So, let us check the spoke VM for any issues.

Could you please validate if the Windows Firewall inside the VM's OS is blocking the traffic?

Refer: https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/windows/troubleshoot-rdp-connection#troubleshoot-using-the-azure-portal

Is this issue happening with a single spoke VM or have you tried another VM?

Regards,

Gita

Rijo Joy 60 Reputation points

2024-04-02T20:37:53.39+00:00

hi i tired both not working

GitaraniSharma-MSFT 49,651 Reputation points Microsoft Employee

2024-04-03T09:37:00.7133333+00:00

Hello @Rijo Joy ,

Let us try to bypass the Azure Firewall and see if you are able to connect to the spoke VM from your on-premises.

Could you please remove the UDRs from the GatewaySubnet and Spoke subnets and try to RDP to the spoke VM directly from on-premises? Let me know if it works.

Regards,

Gita

Rijo Joy 60 Reputation points

2024-04-03T18:46:37.25+00:00

yes i removed UDR and traffic bypass firewall , it's working fine , but once firewall add and traffic not reach spoke ,

i try to make alternative method

create UDR in spoke VNet destination address on perm subnet associated with Spok subnet .

now working fine traffic pass through the firewall rdp working fine thank you

GitaraniSharma-MSFT 49,651 Reputation points Microsoft Employee

2024-04-04T12:36:25.3+00:00

Hello @Rijo Joy ,

Thank you for the update.

Looking at your above comment, I would say there was a learned route from somewhere conflicting with the 0.0.0.0/0 UDR that you had before.

But you confirmed in your previous comments that Virtual network gateway route propagation option was disabled for the UDR associated to the spoke Vnet.

So, to find out if there was a route affecting the previous UDR, we may need to check the spoke VM's Effective routes with 0.0.0.0/0 UDR.

Please let me know if you would like to configure the 0.0.0.0/0 UDR for the spoke Vnet or you are fine with the on-premises address space as the destination in the UDR.

If you would like force all traffic from the spoke Vnet to your on-premises, then change the UDR to use 0.0.0.0/0 destination and share a screenshot of the spoke VM's effective routes for further analysis.

Refer: https://learn.microsoft.com/en-us/azure/virtual-network/diagnose-network-routing-problem#diagnose-using-azure-portal

Regards,

Gita

GitaraniSharma-MSFT 49,651 Reputation points Microsoft Employee

2024-04-05T10:18:37.5333333+00:00

Hello @Rijo Joy , could you please provide an update on this post? Please let me know if you would like to configure the 0.0.0.0/0 UDR for the spoke Vnet or you are fine with the on-premises address space as the destination in the UDR.

Rijo Joy 60 Reputation points

2024-04-05T10:21:43.92+00:00

Hi I done both UDR for spoke VNet it's working fine , 0.0.0.0/0 and on permis lan address space , Thnke you

GitaraniSharma-MSFT 49,651 Reputation points Microsoft Employee

2024-04-05T10:28:56.98+00:00

Thank you for the update, @Rijo Joy . Glad to hear that the issue is now resolved.

Do let us know if you need further assistance on this issue.

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.