Limited connectivity between Azure VNET and On-premise network

Question

Limited connectivity between Azure VNET and On-premise network

Verbrugge, Richard 30

Hello all,

I'm having trouble getting my Azure Bastion VM (10.18.9.4) to retrieve a DNS query from an on-prem DNS server (10.17.1.5). ICMP and RDP does work (both ways). The Azure firewall indicates the request is allowed through the firewall (and the rule is configured to permit this), I see the log entry 10.18.9.4 -> 10.17.1.5 UDP port 53 allowed.

At the On-prem Firewall does not seem to receive the traffic for 10.18.9.4 -> 10.17.1.5 UDP port 53 at all, as if Azure never actually sent it. I do see the ICMP and RDP packets go through and they show in the On-prem firewall.

This setup uses a site-to-site VPN. I can also confirm that trying to SSH from the Bastion to another server on the same on-prem subnet acts the same way as the DNS query.

Praveen Bandaru 5,520 Reputation points Microsoft External Staff Moderator

2025-07-01T00:39:15.32+00:00

Hello Verbrugge, Richard

I just wanted to follow up and see if you had a chance to review my response to your question. Please let us know if it was helpful, and feel free to reach out if you have any further queries.

Hope the above answer helps! Please let us know do you have any further queries.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Praveen Bandaru 5,520 Reputation points Microsoft External Staff Moderator

2025-07-02T00:29:14.6433333+00:00

Hello Verbrugge, Richard

I just wanted to follow up and see if you had a chance to review my response to your question. Please let us know if it was helpful, and feel free to reach out if you have any further queries.

Hope the above answer helps! Please let us know do you have any further queries.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Verbrugge, Richard 30 Reputation points

2025-07-02T14:35:26.76+00:00

Hi Praveen,

I have not had the change to check everything out, I am quite new to the Azure environment and not sure how to verify everything is setup correctly.
Verbrugge, Richard 30 Reputation points

2025-07-04T14:32:54.5166667+00:00

Issue resolved!

During initial setup a route from the gateway vnet - subnet to the on-prem subnet was not added. This did exist on for another vnet. Also, using 3 DNS servers to resolve, two on-prem and 3rd online, the online was primary DNS. swapping the primary with on-prem DNS permitted ping to resolve properly.

Thank you for your patience and giving the direction, this helped.

Accepted answer

1 additional answer

Your answer

Praveen Bandaru 5,520 Reputation points Microsoft External Staff Moderator

2025-07-01T00:39:15.32+00:00

Hello Verbrugge, Richard

I just wanted to follow up and see if you had a chance to review my response to your question. Please let us know if it was helpful, and feel free to reach out if you have any further queries.

Hope the above answer helps! Please let us know do you have any further queries.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Praveen Bandaru 5,520 Reputation points Microsoft External Staff Moderator

2025-07-02T00:29:14.6433333+00:00

Hello Verbrugge, Richard

I just wanted to follow up and see if you had a chance to review my response to your question. Please let us know if it was helpful, and feel free to reach out if you have any further queries.

Hope the above answer helps! Please let us know do you have any further queries.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Verbrugge, Richard 30 Reputation points

2025-07-02T14:35:26.76+00:00

Hi Praveen,

I have not had the change to check everything out, I am quite new to the Azure environment and not sure how to verify everything is setup correctly.
Verbrugge, Richard 30 Reputation points

2025-07-04T14:32:54.5166667+00:00

Issue resolved!

During initial setup a route from the gateway vnet - subnet to the on-prem subnet was not added. This did exist on for another vnet. Also, using 3 DNS servers to resolve, two on-prem and 3rd online, the online was primary DNS. swapping the primary with on-prem DNS permitted ping to resolve properly.

Thank you for your patience and giving the direction, this helped.

Answer 1

Hello Verbrugge, Richard

In addition to hossein jalilian's response, I'm adding more details.

It appears you're experiencing connectivity problems between your Azure Bastion VM and your on-premises DNS server. Since ICMP and RDP are functioning properly, the basic VPN tunnel seems to be working. However, DNS (UDP port 53) and SSH traffic are not reaching the on-prem firewall, indicating there may be a few specific areas to check.

Ensure that routing is properly set up on both Azure and on-premises to permit DNS and SSH traffic. Also, check for any conflicting routes.
Even if the rules appear to allow the traffic, please double-check for any forced tunneling or DNS proxy configurations that could be interfering with the queries.
Azure Firewall uses SNAT, which might impact how packets are sent. Make sure the SNAT settings are not causing any problems.
Once again, please check your on-premises firewall as there may be rules blocking DNS or SSH requests from the Azure IP range.
Please verify that your DNS configuration, including any conditional forwarding settings, permits requests from the Azure VNET. Also, ensure that the NSG rules on the Azure side are not blocking the required ports for DNS and SSH access.

Please provide the following information so we can further investigate the issue:

Have you set up any custom routes for your Azure VNET?
Are there any specific filtering rules on your on-premises firewall that could impact traffic coming from Azure?
Can you confirm whether there are outbound rules on the Azure Firewall that might be blocking DNS or SSH traffic?
Are there any particular DNS server settings that could be affecting how Azure requests are handled?

Hope the above answer helps! Please let us know do you have any further queries.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 2

Thanks for posting your question in the Microsoft Q&A forum

ICMP and RDP traffic between your Azure Bastion VM and on-prem DNS server are working, showing that the VPN tunnel and basic connectivity are fine. However, DNS and SSH traffic don’t reach the on-prem firewall, even though Azure Firewall logs show the traffic is allowed.

This could be caused by:

Misconfigured routes or subnets
Azure Firewall settings (forced tunneling or DNS proxy issues)
SNAT behavior of Azure Firewall
Firewall/NAT rules on the on-prem side
Incorrect DNS settings or lack of conditional forwarding
NSG rules blocking traffic

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful

Share via

Limited connectivity between Azure VNET and On-premise network

1 additional answer

Your answer