This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 23%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPS%3C/text%3E%3C/svg%3E)
I have set up hub and 2 spokes using Azure Firewall to route traffic from spoke to spoke. I have set correct route to allow all to all
this is the only firewall rule I have
In both subnet I have set default route rule to Azure Firewall IP
there are no NSGs assigned to subnet nor the network interface
Hub is peered with spokes:
Was testing the setup connecting to 1 vm in spoke vnet and ping to vm in the other spoke but I have got no response.
I am able to ping in the same vnet so OS firewall is not the case.
I was also tried to do connection troubleshoot tool but it ends with status unreachable.
Supposed to work: should be able to ping spoke to spoke via azure firewall in hub
Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you are facing issues with Spoke-to-Spoke Transit via Azure Firewall.
Awaiting your update.
Cheers,
Kapil
Hello,
Thanks for the update.
I was suggesting to change the address range in the Route Table.
I am trying to make sure there was no asymmetric routing in place for return traffic (i.e, routing issue from Spoke2 to Spoke1)
Cheers,
Kapil
Update for 3rd pioint:
I have also changed route tables attached to subnet in both spokes for testing purpose accordinly
spoke1 vnet
| spoke2_via_hub | 10.200.0.0/22 | Virtual appliance | 10.0.3.4 |
spoke2 vnet
| spoke1_via_hub | 10.100.0.0/22 | Virtual appliance | 10.0.3.4 |
It has same effect, not able to reach spoke to spoke vms
To troubleshoot further, I think we will need a specialized 1:1 session, where a support engineer can have a screen share session to pinpoint the issue. If you have a support plan you may file a support ticket, else please do let us know, we will try and help you get a one-time free technical support.
In case you need a one-time free technical support could you please send an email to Azcommunity[At]Microsoft[Dot]Com with the below details.
Subject : Attn Kaananth | Not able to ping vm to vm in hub spoke with azure firewall
Thread URL: Link to this thread
Subscription ID : Subscription ID of the Firewall
Cheers,
Kapil
Managed to fix it myself by enabling "Traffic forwarded from remote virtual network" on peerings setting hub<--->spoke.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 87%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMJ%3C/text%3E%3C/svg%3E)
Hey Piotr, how you have solved this issue, I have same problem & tried all above suggestions. Kindly revert with the way you have opted.
Thank you