I have below network : 2 vNet in eastus connect to vHub1 ( vNet1 & vNet2 ) 1 vNet in CentralUS connect to vHub2 ( vNet3 ) vHub1 & vHub2 are belongs to my vWan1 ( vHub1 in eastus , vHub2 in centralUS ) 1 VM in each vNet, they can connect to each other properly, by ping, or by ssh. ( VM-1 in vNet1, VM-2 in vNet2, VM-3 in vNet3 ) there is a NAT GW in vNet-1 in eastus which associated to sub-1 in vNet-1. ( i plan to route all 3 vNet internet outbound traffic via this NAT GW ) VM-1 is a ubuntu22 with ip-forwording enabled in eth0, and added a new eth1 ( 10.0.0.33 ) to act as an NVA device. VM-1 able to access internet through NAT GW. the default route table in vHub ( and i tried in vNet ) including: ' 0.0.0.0/0 next hop eth1 ( 10.0.0.33 ) ' . i suppose this allow my VMs in other vNet able to access internet. i checked all NICs "effective route", it's shows 0.0.0.0/0 to next hop eth1 ( 10.0.0.33 ) , it's seems meet my expectation, but unfortunately, VM-2 & VM-3 unable to access internet either. So could you please help to find the problems ? Thanks ~!

Hi, I think there is a loop getting created in the VNET 1 connection. You can override it with 2 ways. Create a UDR with 0.0.0.0/0 next hop Internet and associate it on to the VM1 subnet. Or do not associate the default routing table to the VNET1 connection which has 0.0.0.0/0 next hop as your NVA Interface. Regards, Karthik Srinivas

NVA & vHub routing issue

Yu Dongdong 0

vwan-issue

I have below network :

2 vNet in eastus connect to vHub1 ( vNet1 & vNet2 )
1 vNet in CentralUS connect to vHub2 ( vNet3 )
vHub1 & vHub2 are belongs to my vWan1 ( vHub1 in eastus , vHub2 in centralUS )
1 VM in each vNet, they can connect to each other properly, by ping, or by ssh. ( VM-1 in vNet1, VM-2 in vNet2, VM-3 in vNet3 )
there is a NAT GW in vNet-1 in eastus which associated to sub-1 in vNet-1. ( i plan to route all 3 vNet internet outbound traffic via this NAT GW )
VM-1 is a ubuntu22 with ip-forwording enabled in eth0, and added a new eth1 ( 10.0.0.33 ) to act as an NVA device.
VM-1 able to access internet through NAT GW.
the default route table in vHub ( and i tried in vNet ) including: ' 0.0.0.0/0 next hop eth1 ( 10.0.0.33 ) ' .

i suppose this allow my VMs in other vNet able to access internet. i checked all NICs "effective route", it's shows 0.0.0.0/0 to next hop eth1 ( 10.0.0.33 ) , it's seems meet my expectation, but unfortunately, VM-2 & VM-3 unable to access internet either.

So could you please help to find the problems ?

Thanks ~!

MojiTMJ 690 Reputation points

2023-10-01T10:45:30.98+00:00
Hello Yu Dongdong,

Thank you for reaching out in Microsoft Q&A.

From your description, it appears that your setup should allow VM-2 and VM-3 to access the internet via VM-1 acting as an NVA. However, you mentioned that VM-2 and VM-3 are unable to access the internet. Here are some steps to troubleshoot the issue:

Check NVA Configuration:

Verify that the NVA (VM-1) is correctly configured as a gateway with IP forwarding enabled and that it can access the internet through the NAT Gateway.

Check Route Tables:

Double-check the route table configuration in both vHub1 and vNet1. The default route (0.0.0.0/0) should indeed point to the NVA (10.0.0.33).

Check Security Groups and Network Security Groups (NSGs):

Ensure that there are no network security group rules or security group rules that are blocking outbound internet traffic from VM-2 and VM-3.

Check Subnet Associations:

Make sure that the subnets in vNet1 and vNet2 are associated with the correct route tables. Subnets in vNet1 and vNet2 should be associated with the route table that has the default route pointing to the NVA.

Check NSG Rules on Subnets:

Verify that there are no Network Security Group (NSG) rules associated with the subnets in vNet1 and vNet2 that are blocking outbound traffic.

Check VM Configuration:

Ensure that VM-2 and VM-3 have their default gateways set to the IP address of VM-1's eth1 (10.0.0.33). You can check this in the VM network configuration settings.

Check NVA Firewall Rules:

If VM-1 is running a firewall software, make sure that it is not blocking outbound traffic from VM-2 and VM-3.

Check NVA's Network Interface Configuration:

Review the network interface configuration on VM-1 (NVA). Ensure that eth1 is correctly configured and has the appropriate IP address (10.0.0.33).

Check Routing Logs and Diagnostics:

Use Azure's diagnostics and logging tools to check for any errors or issues related to routing and network traffic.

Check Azure Resource Logs:

Review Azure Resource logs for any errors or warnings related to your resources, including the Virtual WAN, vNets, and VMs.

Test Connectivity:

From VM-2 and VM-3, you can use tools like traceroute, ping, or nslookup to diagnose connectivity issues. Verify if they can reach VM-1 and then proceed from there to the internet.

By systematically checking these configurations and performing tests, you should be able to identify the cause of the issue and resolve it to enable internet access for VM-2 and VM-3 through your NVA and NAT Gateway.

Note: If you found this response helpful, please acknowledge it to help others facing similar challenges.

Best of luck!
Yu Dongdong 0 Reputation points

2023-10-01T14:03:35.2033333+00:00
Hi MojiTMJ:

Thanks for your help ~! i checked my network, please find my update below:

Actually, i'm wondering if i can forward all internet outbound traffic from branch-vNet ( vNet2 & vNet3 ) to my hub-vNet ( vNet1 ) and forward to internet by my NVA ( ubuntu22 ) via the only NAT gateway in my hub-vNet.

i'm not sure if it feasible in Azure side ? do i need purchase a dedicated NVA instead of an ubuntu22 OS ?

Check NVA Configuration:

Verify that the NVA (VM-1) is correctly configured as a gateway with IP forwarding enabled and that it can access the internet through the NAT Gateway.
- i confirm the NVA IP forwarding enabled in both Azure portal and OS side. - i confirm i can access internet via NAT GW in VM-1.

Check Route Tables:

Double-check the route table configuration in both vHub1 and vNet1. The default route (0.0.0.0/0) should indeed point to the NVA (10.0.0.33).
- i confirm the default route (0.0.0.0/0) for vHub1 point to the NVA (10.0.0.33). and the default route of sub2 in vNet1 ( instead of vNet1. i can't attach a route table to a vNet ) point to the NVA (10.0.0.33).

Check Security Groups and Network Security Groups (NSGs):

Ensure that there are no network security group rules or security group rules that are blocking outbound internet traffic from VM-2 and VM-3.
- There are no custom NSG in my environment, the default rules attache to all my NSGs.

Check Subnet Associations:

Make sure that the subnets in vNet1 and vNet2 are associated with the correct route tables. Subnets in vNet1 and vNet2 should be associated with the route table that has the default route pointing to the NVA.
- i confirm sub2 in vNet1 and all subnet in both vNet2 & vNet3 are associated to a route table point to the NVA (10.0.0.33).

Check NSG Rules on Subnets:

Verify that there are no Network Security Group (NSG) rules associated with the subnets in vNet1 and vNet2 that are blocking outbound traffic.
- Default NSG rules, no blocks.

Check VM Configuration:

Ensure that VM-2 and VM-3 have their default gateways set to the IP address of VM-1's eth1 (10.0.0.33). You can check this in the VM network configuration settings.
- i confirm the effective routes 0.0.0.0/0 for both VM-2 & VM-3 are point to VM-1's eth1 (10.0.0.33). i checked it from Azure portal, and ping 10.0.0.33 from both VM-2 & VM-3.

Check NVA Firewall Rules:

If VM-1 is running a firewall software, make sure that it is not blocking outbound traffic from VM-2 and VM-3.
- the only one firewall rule in my NVA is : 'sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE'

Check NVA's Network Interface Configuration:

Review the network interface configuration on VM-1 (NVA). Ensure that eth1 is correctly configured and has the appropriate IP address (10.0.0.33).
- Yes, i can connecto to 10.0.0.33 from VM-2 and VM-3.

Check Routing Logs and Diagnostics:

Use Azure's diagnostics and logging tools to check for any errors or issues related to routing and network traffic.
- No any errors. or i don't know where i can find the logs.

Check Azure Resource Logs:

Review Azure Resource logs for any errors or warnings related to your resources, including the Virtual WAN, vNets, and VMs.
- No any errors. or i don't know where i can find the logs.

Test Connectivity:

From VM-2 and VM-3, you can use tools like traceroute, ping, or nslookup to diagnose connectivity issues. Verify if they can reach VM-1 and then proceed from there to the internet.
- i can connect to VM-1 from both VM-2 & VM-3 by ping and ssh.
MojiTMJ 690 Reputation points

2023-10-02T08:36:38.0433333+00:00
Hi Yu Dongdong,

Thanks for the update. I'm glad to hear that you have checked all the configurations and that the NVA is able to access the internet through the NAT Gateway.

Yes, it is feasible to forward all internet outbound traffic from branch-vNet (vNet2 & vNet3) to your hub-vNet (vNet1) and forward to the internet by your NVA (ubuntu22) via the only NAT gateway in your hub-vNet. and No, no need to purchase a dedicated NVA. An ubuntu22 OS can be used as an NVA, as long as it is properly configured.

To do this, you will need to:

Configure a route table in your hub-vNet (vNet1) with a default route (0.0.0.0/0) pointing to the NVA (10.0.0.33).

Associate the subnets in your hub-vNet (vNet1) and branch-vNets (vNet2 & vNet3) with the route table that has the default route pointing to the NVA.

Configure the NVA to route all internet outbound traffic to the NAT Gateway.

You can use the following steps to configure the NVA to route all internet outbound traffic to the NAT Gateway:

Log in to the NVA.

Open the firewall configuration file.

Add the following rule to the firewall configuration file:

-A POSTROUTING -o eth0 -j MASQUERADE

Save the firewall configuration file.

Restart the firewall service.

Once you have completed these steps, all internet outbound traffic from your branch-vNets (vNet2 & vNet3) will be forwarded to your hub-vNet (vNet1) and then to the internet via the NVA.

Here are some additional tips for troubleshooting NVA issues:

Make sure that the NVA is able to access the internet through the NAT Gateway. You can test this by trying to ping a website from the NVA.

Make sure that the NVA is configured to route all internet outbound traffic to the NAT Gateway. You can check this by reviewing the firewall configuration on the NVA.

Make sure that the subnets in your hub-vNet (vNet1) and branch-vNets (vNet2 & vNet3) are associated with the route table that has the default route pointing to the NVA.

Use Azure Network Watcher to troubleshoot the issue. Azure Network Watcher provides a variety of tools for troubleshooting network connectivity issues. For example, you can use the IP Flow Verify tool to test the flow of traffic between your branch-vNets (vNet2 & vNet3) and the NVA.

If you are still unable to resolve the issue, please provide more information about your network topology and configuration. For example, please provide the routing tables and firewall rules on the NVA, VM-2, and VM-3.

Note: If you found this response helpful, please acknowledge it to help others facing similar challenges.

I hope this helps!
KapilAnanth-MSFT 46,676 Reputation points Microsoft Employee

2023-10-05T10:24:00.2933333+00:00
@Yu Dongdong

Continuing from msrini-MSFT 's answer,

Let's only troubleshoot VM2 and try to isolate the issue.

1.Create a UDR with 0.0.0.0/0 next hop Internet and associate it on to the VM1 subnet.

Did you get a chance to execute this?

Did this work for VM2?

Were you able to access Internet via NAT GW of the NVA(VM1) ?

Because, you mentioned, "attached 0.0.0.0/0 next hop 10.0.0.33 to this new VM-4,"

I understand this would work, as this is not crossing the VNET boundary.

Also, I agree this proves that the NVA is capable of forwarding traffic to Internet .

However, msrini-MSFT 's suggestion was to attach a UDR of 0.0.0.0/0 on VNET1's subnet1 and not on VM4

Cheers,

Kapil
KapilAnanth-MSFT 46,676 Reputation points Microsoft Employee

2023-10-06T09:59:47.1866667+00:00

@Yu Dongdong

May I know if you got a chance to review my previous comment?

Please let me know if you are facing any challenges or if there are any follow-up questions, I shall be glad to address them.

Thanks,

Kapil
Yu Dongdong 0 Reputation points

2023-10-09T00:20:00.84+00:00

Thanks for all your help ~!

actually, I have had a UDR with 0.0.0.0/0 next-hop Internet and associated it on the VM1 subnet.

there are 2 NICs in VM1, eth0 in sub-1 connect to NAT GW which includs the UDR 0.0.0.0/0 next-hop internet, eth1 in sub-2 with 0.0.0.0/0 next-hop to the NVA (10.0.0.33).

this works for the VMs which in the same Vnet, but it doesn't work for the other Vnets.
KapilAnanth-MSFT 46,676 Reputation points Microsoft Employee

2023-10-10T08:47:42.94+00:00
@Yu Dongdong

Can you share the NIC Effective Routes of the VM2 ?

Cheers,

Kapil
KapilAnanth-MSFT 46,676 Reputation points Microsoft Employee

2023-10-12T03:59:42.51+00:00

@Yu Dongdong

Can you please update us the results of the action plan provided.

Should there be any follow-up questions or concerns, please let us know and we shall try to address them.

Thanks,

Kapil

1 answer

msrini-MSFT 9,286 Reputation points Microsoft Employee

2023-10-03T08:39:42.2833333+00:00
Hi,

I think there is a loop getting created in the VNET 1 connection. You can override it with 2 ways.

Create a UDR with 0.0.0.0/0 next hop Internet and associate it on to the VM1 subnet.

Or do not associate the default routing table to the VNET1 connection which has 0.0.0.0/0 next hop as your NVA Interface.

Regards,

Karthik Srinivas
Please sign in to rate this answer.
Yu Dongdong 0 Reputation points

2023-10-03T13:45:37.82+00:00

Hi Karthik:

Thanks for your help.

Create a UDR with 0.0.0.0/0 next hop Internet and associate it on to the VM1 subnet.

There are 2 NICs attached to VM1, NIC-1 with 0.0.0..0/0 next hop internet, but NIC-2 with 0.0.0.0/0 next hop 10.0.0.33 ( this is NIC-2 itself ).

VM1 able to access internet via NAT GW.

I created a new VM-4 in the same subnet which NIC-2 located, and attached 0.0.0.0/0 next hop 10.0.0.33 to this new VM-4, it's able to access internet via NAT GW. it's proved my NVA, which is VM-1, behaived properly, it's able to forward outbound traffic to internet via NAT GW , so i expect i can leverage this NVA+NAT to the other vNet, but unfortunately, it's doesn't works properly.

Or do not associate the default routing table to the VNET1 connection which has 0.0.0.0/0 next hop as your NVA Interface

do you mean don't add 0.0.0.0/0 to my vHub1 link to vNET1 ? i tried it, even without 0.0.0.0/0 attached to this link, my VM-2 & VM-3 still cannot access internet.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

NVA & vHub routing issue

1 answer

Your answer