none
Forced tunneling not working as expected RRS feed

  • Question

  • I've followed Microsoft's guide using Resource Manager approach: 
    https:// docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-forced-tunneling-rm

    My on-prem networks are 192.168.0.0/16 and my Azure networks are 10.0.0.0/16. I have proxyIDs in my S2S VPN reflecting these ranges and so far all traffic to either network from either network works fine.

    The objective I'm trying to achieve is to force all traffic into and out of certain VMs onto my S2S tunnel that connects cloud to my on-prem Palo Alto firewall and allow it to egress to the internet from there.

    Once I've added , or at least think I've added, a route for 0.0.0.0/0 to my Virtual Network Gateway and associated the route to a network that has a VM in question, traffic still flows to RFC1918 address space in either direction, but internet bound traffic doesn't appear to ever leave Azure. I look at dcaps on the tunnel and when attempting any traffic that should egress to the internet (outside of Azure and my PA firewall), the counter stays flat. Looking at effective routes in Azure for my test VM, it shows the 0.0.0.0/0 route to the virtual private gateway, but no IP for next-hop. When setting up a new route manually, it states that a next hop IP can't be associated to a virtual private gateway; only to a virtual appliance. OOK....soo, seems like a routing issue but I'm stumped. Help?


    Tuesday, January 14, 2020 4:24 PM

All replies

  • To start, make sure that your setup is ready for forced tunneling, and meets the requirements specified in the doc.

    "Forced tunneling must be associated with a VNet that has a route-based VPN gateway. You need to set a "default site" among the cross-premises local sites connected to the virtual network. Also, the on-premises VPN device must be configured using 0.0.0.0/0 as traffic selectors."

    Setting 0.0.0.0/0 with the next hop as "VirtualNetworkGateway" will send traffic across the tunnel, but only if the prerequisites are set, and your device can receive the traffic. 

    Tuesday, January 14, 2020 10:39 PM
    Moderator
  • Hello,

     

    If you think your question has been answered, please click "Mark as Answer" if just helped click "Vote as helpful". This can be beneficial to other community members reading this forum thread.

     

    Best regards

    Subhash

    Tuesday, January 28, 2020 7:21 AM
    Moderator