Routing for Network Virtual Appliances

Question

Routing for Network Virtual Appliances

Mike Kallies 21

In the diagram, we have one vnet, two subnets, and three systems.

Azure "IP Forwarding" is enabled on the router interfaces.
Routing tables are created for "trust" and "untrust" subnets
Static routes are created on the machines (the obscured routes are host routes to make sure I don't cut myself off)
We can see that bob is successfully pinging alice.

Despite bob's default route being the router, the azure routing table setting bob's default route to the router, and alice is not in the same subnet, the traffic does not pass through the router!?

This raises two big questions for me

Why and how is Azure doing this? This seems to completely defy Layer3 logic.
How are we supposed to do this in Azure?

My next guess on this is that this might need to be done with distinct vnets, but if I use vnets, does that mean 3 vnets? 1 for the virtual appliance and 1 for each subnet?

Accepted answer

0 additional answers

Your answer

Answer 1

@Mike Kallies Thank you for reaching out to Microsoft Q&A. I understand that you are having challenges setting up traffic routing via the NVA.

First thing I notice from the architecture is that the NVA shares the subnets of the Trsut and Untrust networks. This is not the preferred setup for this requirement as this creates loops in routing. As per Microsoft documenation-

"Deploy a virtual appliance into a different subnet than the resources that route through the virtual appliance are deployed in. Deploying the virtual appliance to the same subnet, then applying a route table to the subnet that routes traffic through the virtual appliance, can result in routing loops, where traffic never leaves the subnet."

Here is a similkar architecture explained here in the following blog anf video:

https://rajanieshkaushikk.com/2020/01/12/how-to-route-network-traffic-in-azure/

https://www.youtube.com/watch?v=UeFDa3vl0LA

Please impelment a different subnet for the NVA and that should resolve this issue for you. Hope this helps.

Please let us know if you have any further questions and we will be glad to assist you further. Thank you!

Remember:

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Want a reminder to come back and check responses? Here is how to subscribe to a notification.

Mike Kallies 21 Reputation points

2021-07-16T11:39:02.817+00:00

Thanks for the time to work through this with me, I really appreciate it.

In a nutshell, what we did was:

Create subnets for the interfaces, e.g., trust and untrust

Create subnets for each group of machines, e.g., users, dmz

Azure behaves very differently at L3 and L2 than physical networking gear.

Local arp tables are meaningless (12:34:56:78:9a:bc entries everywhere)

Local routing tables should be left untouched, even if they don't match the UDR table

Rely on Azure to route between subnets in the vnet, e.g., to transparently move traffic from 'trust' to 'users' etc.

Thanks again, this has all been very helpful.

(Now I just need to try to understand how traffic is routed to and from the Internet through a NVA!)

Share via

Routing for Network Virtual Appliances

0 additional answers

Your answer