ACL's blocking traffic to A VPN Gateway
Hi,
I've been working around a problem with a VPN Gateway i built a few days ago. It appears the traffic is blocked inbound to this gateway by an ACL that i cant edit, control or even see.
The former architecture is a hub/spoke design connected with an onPrem firewall.
At first i detected that i couldnt access the datacenter using ports other than 179, 443 and 500 (and a few more above 8800).
In order to troubleshoot this behavior, i remove parts of this architecture to isolate the problem.
So the setup now, is 2 vpn gateways connected via a site to site connection. My tests are done while placing 2 VM's in a different subnet, but on the same VNET of each of the gateways.
There a no NSG's configured in any of those subnets.
VNET A ( VM_A 172.18.0.100 + VNET GATEWAY A ) <—> S2S connection <—> VNET B ( VM_B 10.200.1.4 + VNET GATEWAY B )
Symptoms are :
If i do a port scan (netcat/nmap) from VM A to VM B, only 3 ports are observed to pass through vnet gateway A, and reach VM B (tcpdump 'host <ip_vm_a>')
If i do the same test on the other way, VM B to VM A, i can reach VM B on any port.
After enabling VNET Flow logs, we can finally detect the presence of a blocking rule on the VNET GATEWAY A side only.
Here we can see all traffic from A to B using port 80 is always denied by ACL named DefaultInboundDenyAll
{ "rule": "DefaultInboundDenyAll",
"flowTuples": [
"1728551909443,172.18.0.100,10.200.1.4,40486,80,6,I,D,NX,0,0,0,0",
"1728551910451,172.18.0.100,10.200.1.4,40486,80,6,I,D,NX,0,0,0,0",
"1728551911480,172.18.0.100,10.200.1.4,40486,80,6,I,D,NX,0,0,0,0",
"1728551912499,172.18.0.100,10.200.1.4,40486,80,6,I,D,NX,0,0,0,0",
"1728551913527,172.18.0.100,10.200.1.4,40486,80,6,I,D,NX,0,0,0,0",
"1728551914552,172.18.0.100,10.200.1.4,40486,80,6,I,D,NX,0,0,0,0",
"1728551916567,172.18.0.100,10.200.1.4,40486,80,6,I,D,NX,0,0,0,0",
"1728551920696,172.18.0.100,10.200.1.4,40486,80,6,I,D,NX,0,0,0,0"
]}
In the other direction, we can see the same traffic type on port 80 from B to A is allowed by ACL DefaultRule_AllowVnetInBound :
{ "rule": "DefaultRule_AllowVnetInBound",
"flowTuples": [
"1728560065005,10.200.1.4,172.18.0.100,36458,80,6,I,B,NX,0,0,0,0",
"1728560066858,10.200.1.4,172.18.0.100,36468,80,6,I,B,NX,0,0,0,0",
"1728560070066,10.200.1.4,172.18.0.100,36478,80,6,I,B,NX,0,0,0,0",
"1728560070633,10.200.1.4,172.18.0.100,36458,80,6,I,E,NX,1,158,1,110",
"1728560072525,10.200.1.4,172.18.0.100,36468,80,6,I,E,NX,1,158,1,110",
"1728560075645,10.200.1.4,172.18.0.100,36478,80,6,I,E,NX,1,158,1,110"
]}
This flow log matches a MacAddress which is 99% probably linked to the nic used by the gateway (outbound traffic always matches the gateway private ip address).
How come a Deny rule can affect the traffic, where does it come from ? What could trigger the creation of this ACL ? How to remove it ? How to prevent these acl's from being created ?
As you can see, The second VNET GATEWAY B i created for the troubleshoot doesnt behave the same because there's no similar ACL blocking the traffic.
Feedback appreciated ?