Azure Forced tunnel over a s2s tunnel via VPN gateway is not working
Tutorial – Create & manage a VPN gateway – Azure portal - Azure VPN Gateway | Microsoft Learn
How to implement the Azure Forced Tunneling via S2S VPN · Jorge Bernhardt
We have a s2s tunnel between our data center (PaloAlto FW) and a VPN gateway in Azure. We can reach everything fine between the sites. I created a forced tunnel per MS instructions so that all internet traffic for my crosses the Palo Alto FW. If I try to reach the internet from a VM in the tunneled VNet it fails to reach the PA firewall. all other s2s traffic works fine.
· I created a UDR for 0.0.0.0/0 and included the subnet in the VNet and pointed it to Virtual gateway (there is only one plus the Virtual gateway subnet).
· There is no security group defined.
· effective routes from the routing table
Effective routes
SourceStateAddress PrefixesNext Hop TypeNext Hop IP AddressUser Defined Route Name__Default____Active____10.x.x.x/16____Virtual network____--User____Active____0.0.0.0/0____Virtual network gateway-default____Default____Invalid____0.0.0.0/0____Internet--__· I set my virtual network gateway default default site It appears to be correct below
ResourceGroupName: US-WEST-3-RG-Auth
PS C:\Users\xxx> Set-AzVirtualNetworkGatewayDefaultSite -GatewayDefaultSite $LocalGateway -VirtualNetworkGateway $VirtualGateway
PS C:\Users\xxx> $local = Get-AzLocalNetworkGateway -ResourceGroupName $resourceGroupName
PS C:\Users\xxx> $gateway = Get-AzVirtualNetworkGateway -ResourceGroupName $resourceGroupName
PS C:\Users\xxx> Set-AzVirtualNetworkGatewayDefaultSite `
-GatewayDefaultSite $local `
-VirtualNetworkGateway $gateway
Name : US-West-3-GW-NPS
ResourceGroupName : US-WEST-3-RG-Auth
Location : westus3
Id : /subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/US-WEST-3-RG-Auth/
providers/Microsoft.Network/virtualNetworkGateways/US-West-3-GW-NPS
Etag : W/"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
ResourceGuid : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ProvisioningState : Succeeded
Tags :
IpConfigurations : [
{
"PrivateIpAllocationMethod": "Dynamic",
"Subnet": {
"Id": "/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/US-WE
ST-3-RG-Auth/providers/Microsoft.Network/virtualNetworks/USW3-Auth-VNET-10.52.0.0/sub
nets/GatewaySubnet"
},
"PublicIpAddress": {
"Id": "/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/US-WE
ST-3-RG-Auth/providers/Microsoft.Network/publicIPAddresses/USW-3-NPS-PUBLIC"
},
"Name": "default",
"Etag": "W/"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"",
"Id": "/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/US-WEST
-3-RG-Auth/providers/Microsoft.Network/virtualNetworkGateways/US-West-3-GW-NPS/ipConf
igurations/default"
}
]
GatewayType : Vpn
VpnType : RouteBased
EnableBgp : False
ActiveActive : False
GatewayDefaultSite : {
"Id": "/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/US-WEST-3
-RG-Auth/providers/Microsoft.Network/localNetworkGateways/USW-3-LNG-DC"
}
Sku : {
"Capacity": 2,
"Name": "VpnGw2AZ",
"Tier": "VpnGw2AZ"
}
VpnClientConfiguration : null
BgpSettings : {
"Asn": 65515,
"BgpPeeringAddress": "xxx.xxx.xxx.xxx",
"PeerWeight": 0,
"BgpPeeringAddresses": [
{
"IpconfigurationId": "/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/resou
rceGroups/US-WEST-3-RG-Auth/providers/Microsoft.Network/virtualNetworkGateways/US-Wes
t-3-GW-NPS/ipConfigurations/default",
"DefaultBgpIpAddresses": [
"xxx.xxx.xxx.xxx"
],
"CustomBgpIpAddresses": [],
"TunnelIpAddresses": [
"xxx.xxx.xxx.xxx"
]
}
]
}
CustomRoutes : null
NatRules : []
ExtendedLocation : null
EnableBgpRouteTranslationForNat : False