Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,543 questions
Routing Azure VPN P2S connection through Azure Firewall for S2S connection
Bas Pruijn
951
Reputation points
Hi all,
I am setting up an IoT configuration where the devices connect via SIMs to a mobile provider. The mobile provider forwards all traffic through a S2S VPN connection. Using a route table I am able to forward all traffic to an Azure Firewall. The Azure Firewall policy is configured to always use SNAT. This is needed because the mobile provider only allows traffic from 1 IP subnet only. This all works as expected.
However, when I connect using a P2S connection on the same VPN Gateway the traffic with a S2S destination seems not to be routed to the firewall. Requests to Azure resources do get routed through the firewall and work without issues. It seems the VPN Gateway directly routes the data to the S2S connection. There the data is dropped, since it does not originate from the predefined subnet.
Any clues on how to fix this?
Furthermore, we need to prevent different S2S connections to directly communicate with each other. All traffic needs to be routed through the firewall where rules will block unwanted traffic. Would this be default behaviour, or does the VPN gateway (also) route this traffic directly?
There is no need for forced tunneling.
Details:
P2S: OpenVPN (SSL) with AAD authentication
S2S: IPSec tunnel with preshared key.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
ChaitanyaNaykodi-MSFT 26,201 Reputation points Microsoft Employee2024-08-26T23:04:55.0233333+00:00 Thank you for reaching out.
However, when I connect using a P2S connection on the same VPN Gateway the traffic with a S2S destination seems not to be routed to the firewall. Requests to Azure resources do get routed through the firewall and work without issues. It seems the VPN Gateway directly routes the data to the S2S connection. There the data is dropped, since it does not originate from the predefined subnet.
Based on your statement above, can you please perform a packet capture on your VPN Gateway to determine if S2S destination is indeed not routing via azure firewall.
One reason this can happen if there is a more specific route available for the traffic. Although I am not sure why a establishing a P2S connection can affect routing. It will help if you could share your network diagram here and also confirm based on the packet capture above that the traffic is indeed not routing via azure firewall.
Furthermore, we need to prevent different S2S connections to directly communicate with each other. All traffic needs to be routed through the firewall where rules will block unwanted traffic. Would this be default behaviour, or does the VPN gateway (also) route this traffic directly?
It will help if you could share your network diagram here to understand the implementation and provide more insights.
Are you referring to S2S connections configured on a single VPN Gateway?
Thanks
Sign in to comment
Sign in to answer