Azure Forced tunnel over a s2s tunnel via VPN gateway is not working

Gregory Carleton 0 Reputation points
2023-07-27T16:13:48.3533333+00:00

Tutorial – Create & manage a VPN gateway – Azure portal - Azure VPN Gateway | Microsoft Learn

How to implement the Azure Forced Tunneling via S2S VPN · Jorge Bernhardt

We have a s2s tunnel between our data center (PaloAlto FW) and a VPN gateway in Azure. We can reach everything fine between the sites. I created a forced tunnel per MS instructions so that all internet traffic for my crosses the Palo Alto FW. If I try to reach the internet from a VM in the tunneled VNet it fails to reach the PA firewall. all other s2s traffic works fine.

·        I created a UDR for 0.0.0.0/0 and included the subnet in the VNet and pointed it to Virtual gateway (there is only one plus the Virtual gateway subnet).

·        There is no security group defined.

·        effective routes from the routing table

Effective routes

SourceStateAddress PrefixesNext Hop TypeNext Hop IP AddressUser Defined Route Name__Default____Active____10.x.x.x/16____Virtual network____--User____Active____0.0.0.0/0____Virtual network gateway-default____Default____Invalid____0.0.0.0/0____Internet--__·        I set my virtual network gateway default default site It appears to be correct below

ResourceGroupName: US-WEST-3-RG-Auth

PS C:\Users\xxx> Set-AzVirtualNetworkGatewayDefaultSite -GatewayDefaultSite $LocalGateway -VirtualNetworkGateway $VirtualGateway

PS C:\Users\xxx> $local = Get-AzLocalNetworkGateway -ResourceGroupName $resourceGroupName

PS C:\Users\xxx> $gateway = Get-AzVirtualNetworkGateway -ResourceGroupName $resourceGroupName

PS C:\Users\xxx> Set-AzVirtualNetworkGatewayDefaultSite `

-GatewayDefaultSite $local `

-VirtualNetworkGateway $gateway

Name : US-West-3-GW-NPS

ResourceGroupName : US-WEST-3-RG-Auth

Location : westus3

Id : /subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/US-WEST-3-RG-Auth/

providers/Microsoft.Network/virtualNetworkGateways/US-West-3-GW-NPS

Etag : W/"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

ResourceGuid : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

ProvisioningState : Succeeded

Tags :

IpConfigurations : [

{

"PrivateIpAllocationMethod": "Dynamic",

"Subnet": {

"Id": "/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/US-WE

ST-3-RG-Auth/providers/Microsoft.Network/virtualNetworks/USW3-Auth-VNET-10.52.0.0/sub

nets/GatewaySubnet"

},

"PublicIpAddress": {

"Id": "/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/US-WE

ST-3-RG-Auth/providers/Microsoft.Network/publicIPAddresses/USW-3-NPS-PUBLIC"

},

"Name": "default",

"Etag": "W/"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"",

"Id": "/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/US-WEST

-3-RG-Auth/providers/Microsoft.Network/virtualNetworkGateways/US-West-3-GW-NPS/ipConf

igurations/default"

}

]

GatewayType : Vpn

VpnType : RouteBased

EnableBgp : False

ActiveActive : False

GatewayDefaultSite : {

"Id": "/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/US-WEST-3

-RG-Auth/providers/Microsoft.Network/localNetworkGateways/USW-3-LNG-DC"

}

Sku : {

"Capacity": 2,

"Name": "VpnGw2AZ",

"Tier": "VpnGw2AZ"

}

VpnClientConfiguration : null

BgpSettings : {

"Asn": 65515,

"BgpPeeringAddress": "xxx.xxx.xxx.xxx",

"PeerWeight": 0,

"BgpPeeringAddresses": [

{

"IpconfigurationId": "/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/resou

rceGroups/US-WEST-3-RG-Auth/providers/Microsoft.Network/virtualNetworkGateways/US-Wes

t-3-GW-NPS/ipConfigurations/default",

"DefaultBgpIpAddresses": [

"xxx.xxx.xxx.xxx"

],

"CustomBgpIpAddresses": [],

"TunnelIpAddresses": [

"xxx.xxx.xxx.xxx"

]

}

]

}

CustomRoutes : null

NatRules : []

ExtendedLocation : null

EnableBgpRouteTranslationForNat : False

 

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,635 questions
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.