Share via

Problem to setup access to a external IP from a container using VNET and Azure Firewall

Alex Cordova 0 Reputation points
2024-07-30T15:57:42.26+00:00

I have created a Azure Container Instance that uses a VNET to reach a private external network using an Azure Gateway to do a site-to-site connection, to give public access to the system into the container I set up an Azure Firewall with his own subnet inside the VNET of the container.

Example:

Vnet range 192.168.x.x

Gateway subnet 192.168.10.x

Container subnet 192.168.11.x

Azure firewall subnet 192.168.12.x with a public ip set up

To reach for example the IP 37.97.92.71 from the container I set up a rule into the routing tables associated to the subnet container for routing the traffic that want to reach this external public ip to through the firewall that is on the private IP 192.168.11.4.

And into the firewall I set a network rule to allow the outbound communication to his Ip for any port.

But when I do a test doing a tracert inside the container to his external IP the next hop the packet shows me if the private IP 192.168.12.8 that is not the firewall IP and I don't have any objects created that uses this IP. Anybody can help me please. Who can give me an idea of what I might be doing wrong I am new to Azure.

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
681 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,513 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. KapilAnanth-MSFT 47,046 Reputation points Microsoft Employee
    2024-07-31T08:10:42.52+00:00

    @Alex Cordova ,

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I understand that you are setting up Outbound access via Azure Firewall.

    I see you have

    • A route table attached to the subnet of your source (Azure Container Instance)
    • With NextHop as the Private IP of the Azure Firewall for the route 37.97.x.x

    May I ask why you are checking ICMP Tracert here?

    • As long as the intermediate hop is in the Azure Firewall Subnet, this is fine.
    • However, please make sure that you only access the destination with TCP and not ICMP
      • This is because Network filtering rules for non-TCP/UDP protocols (for example ICMP) don't work for Internet bound traffic
      • See : Azure Firewall limitations
    • You can try to access the destination using Telnet or Test-NetConnection
      • Open powerShell and run Test-NetConnection -ComputerName www.google.com -Port 443
    • You can use Azure Firewall Diagnostic logs to check whether or not the traffic reached the Firewall
      • And also, whether or not Firewall allowed this traffic
      • And which rule was processed to allow/deny this traffic.

    Should there be any follow-up questions or concerns, please let us know and we shall try to address them.

    Thanks,

    Kapil

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.