Asymmetric traffic issue on network capture from a VM in another vent -
Here is my design -
I have VWAN with Azure firewall which yet to secured with intent as next phase of network migration. Therefore, please ignore vWAN and vHUB when it comes as a topic of description. And I am trying to resolve private DNS from on premises using Azure DNS inbound resolver which is proxied from Azure firewall.
- Existing env uses third party firewall applinace to secure Azure traffic which. will soon to be migrated.
- Third party NVA has four VM with scalesets but most of the traffic enters from eth1, as per NVA log.
- Traffic into NVA enters from an Azure ILB.
- UDR from subnet of other vnet points to Azure ILB private IP to route traffic to NVA firewall.
- For private DNS I have conditional forwarder on prem and cloud. As the conditional forwarder on prem gets replicaeted to across forest including the AD with DNS server hosted in Azure.
- AD DNS hosted in Azure has forwarder set to wired DNS aka Azure private DNS 168.x.x.x while on prem DNS forwarder points to google and other public DNS IP.
Network Line of sight -
- On prem traffic enters Azure express route and does not hit the NVA in the process, therefore, traffic is not inspected by cloud hosted NVA. Therefore, test network connection to Azure firewall IP on port 53 shows successful for on prem.
- Cloud DNS server or VM traffic is inspected by cloud NVA. Therefore, test network connection to Azure firewall IP on port 53 shows failure from cloud DNS server in none core vnet or VM from another vnet.
Why the test network connection to Azure firewall IP on port 53 is failing for cloud resources -
- Traffic enters to NVA from Azure LB for NVA as the UDR points for all other vnet points to NLB front end private IP.
- Inside the NVA log all traffic reaching to Azure firewall from DNS or test VM on none core subnet shows sucessful for all stateful traffic. What NVA log is missing is traffic exiting out of NVA and not exiting from NLB. Therefore, NVA log does not have insight on DNS traffic test network failure.
- When I run network capture with wireshark from the VM in the same subnet as Azure hosted DNS server I see transmssion failure.
- I understanding the traffic is going from one interface (NLB front) and not exiting out of NVA eth1 is not seen by VM as stateful traffic, therefore, the fail in acknowledgement. HOW do fix this or what is the workaround this issue?
Another point -
If I add conditional forwarder with private link.service.net instead of service.net on conditional forwarder it seemed to be working, which is not the correct way of condtional forwarding for azure services with PE. It should be resolve service.net to private link.service.net and private IP
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 46%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)