Route traffic out to the Internet

August 16, 2018, 3:54 am

≫ Next: Routing over Vnet to Vnet connection

≪ Previous: Azure Application Gateway - Disable TLS 1.0

$

0

0

Hi all - Can you confirm my understanding on how to route traffic out to the Internet. (I'm new to Azure but hopefully, these are quick questions.)

I understand from what you say is that all I need to to is create a default route 0.0.0.0/0 and make the next hop as "Internet"

>Will traffic that is getting routed out to the Internet automatically be NAT-ed?

>My assumption is that once traffic goes out, only return traffic can come back once the session is established from inside the Azure cloud.

>At any point, can new traffic sessions be initiated from the Internet back into the Azure cloud with this configuration -- or is a virtual appliance needed in this case?

Thanks!

---

Routing over Vnet to Vnet connection

August 22, 2018, 6:21 pm

≫ Next: How to set an Email notification when VPN connection is down?

≪ Previous: Route traffic out to the Internet

$

0

0

Hi

I have the following networks need to get routing between

On Prem - 192.168.221.0/24
Azure Servers - 10.1.10.0/23
Azure DR - 10.1.12.0/23

As is I have a site to site VPN from "On Prem" to "Azure Servers" working fine. I have a Vnet to Vnet connection between Azure Servers and Azure DR as these are on different subscriptions.

On the Site to Site VPN side I assume I just need to add route for 10.1.12.0/23 on the remote (Azure VM) side.

How do I also do the same back the other way for the Vnet to Vnet? How do I add a route there telling anything on 10.1.12.0/23 if it needs to get to the On Prem network 192.168.221.0/24 to go via the other end of the Vnet to Vnet? Is this even doable?

How to set an Email notification when VPN connection is down?

August 28, 2018, 9:12 am

≫ Next: Service Endpoints and SQL DB Failover Groups

≪ Previous: Routing over Vnet to Vnet connection

$

0

0

Hi all, 

Hope you're having a good day, 

I need to configure a solution to send an email to the admin when the Azure VPN connection status is DOWN, and the same way around when it's back UP again, Any ideas on how when can set this up? is the only solution is to create a runbook that only run every 1 hour (as said in this article https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitor-with-azure-automation#scenario)?

Thanks in advanced 

Service Endpoints and SQL DB Failover Groups

July 20, 2018, 2:41 am

≫ Next: How to get an IPSEC template for ASA when building IPSEC from a classic VPN gateway

≪ Previous: How to set an Email notification when VPN connection is down?

$

0

0

Hello,
Does anybody know / can confirm if Azure SQL DB (PaaS) Failover Groups are supported with VNET Service Endpoints ?

Below article doesn't mention any limitation about Failover Groups and Service Endpoints but when I've tried to create a Failover Groups between two SQL Servers (PaaS), it has failed with the following error:
"code: Internal Server Error; message: An unexpected error occurred while processing the request"

https://docs.microsoft.com/en-us/azure/sql-database/sql-database-vnet-service-endpoint-rule-overview

The two SQL Servers (PaaS) have been configured as follows:

SQL_SRV01 was hosted in the Central US region
SQL_SRV02 was hosted in the East US 2 region

SQL_SRV_01 (PaaS) was configured so that from the a subnet in the Central US it can be queried.

SQL_SRV_02 (PaaS) was configured so that from the a subnet in the East US 2 it can be queried.

"Allow access to Azure services" was enabled on both

Note: No issues when Virtual Network rules have been removed

Any thoughts ?

Thanks in advance

---

Gmail

How to get an IPSEC template for ASA when building IPSEC from a classic VPN gateway

August 24, 2018, 6:52 am

≫ Next: NSG blocking VMs on same subnet

≪ Previous: Service Endpoints and SQL DB Failover Groups

$

0

0

Am using ARM at the moment , but we have some classic VNET and gateways that already have IPSEC VPN. Need to build a new VPN from this classic VNET/Gateway in my ARM portal , but where can i get the IPSEC template for my on-prem. Need to know the pre-shared key and other IPSEC parameters.  Dont see any feature to download the configs which is different if from building a VPN using ARM gateway where you can download the IPSEC config.

NSG blocking VMs on same subnet

August 24, 2018, 4:29 am

≫ Next: Nameservers won't change

≪ Previous: How to get an IPSEC template for ASA when building IPSEC from a classic VPN gateway

$

0

0

Hi,

Somehow the deny rule I have at a subnet level is blocking traffic between VMs on the same subnet.

VNET: 10.20.64.0/20

Subnet: 10.20.65.0/24

VM1: 10.20.65.31

VM2: 10.20.65.32

NSG rule applied at subnet level that's causing the problem. Implemented with the intention of segregating subnets.

security_rule {

name = "Deny-all-Subnets"

description = "Deny all Subnets"

priority = 4000

direction = "Inbound"

access = "Deny"

protocol = "*"

source_port_range = "*"

destination_port_range = "*"

source_address_prefix = "VirtualNetwork"

destination_address_prefix = "*"

}

With this rule in place, tracert from VM1 to VM2 fails. Without it, it works fine.

The Azure Connection Troubleshooter confirms VM1 can't connect to VM2.

Why would a subnet level NSG block two VMs in the same subnet from talking?

Nameservers won't change

August 24, 2018, 2:58 am

≫ Next: Setting up CISCO ASA VPN to AZURE. What does "Custom-AzureVPN-Policies-WithNarrowTrafficSelectors mean?

≪ Previous: NSG blocking VMs on same subnet

$

0

0

I tried changing the nameservers but it hass no effect and I'm lost. Please help. (it's been 72 hours)

Setting up CISCO ASA VPN to AZURE. What does "Custom-AzureVPN-Policies-WithNarrowTrafficSelectors mean?

August 20, 2018, 12:56 pm

≫ Next: Cannot RDP from on-prem machine to Azure VM while using point-to-site VPN (or vice-versa)

≪ Previous: Nameservers won't change

$

0

0

Setting up CISCO ASA VPN to AZURE. What does "Custom-AzureVPN-Policies-WithNarrowTrafficSelectors mean? I searched there is no KB for this.

The VPN tunnel is up but the systems on each side can not see each other. I am wondering if this is the reason.

---

Cannot RDP from on-prem machine to Azure VM while using point-to-site VPN (or vice-versa)

November 13, 2013, 5:08 pm

≫ Next: Azure Site-To-Site VPN Setup fails with ResourceOperationFailure

≪ Previous: Setting up CISCO ASA VPN to AZURE. What does "Custom-AzureVPN-Policies-WithNarrowTrafficSelectors mean?

$

0

0

I'm trying to RDP from on-prem machine to Azure VM (or vice-versa) while using point-to-site VPN.

I have finished the configuration of the VPN (downloaded the VPN exe from the management portal --> ran it successfully and it says connected to VPN on my on-prem machine) but cannot ping nor RDP from one point to the other either way.

Any help would be appreciated!

Azure Site-To-Site VPN Setup fails with ResourceOperationFailure

August 29, 2018, 6:37 am

≫ Next: Cannot RDP from on-prem machine to Azure VM while using point-to-site VPN

≪ Previous: Cannot RDP from on-prem machine to Azure VM while using point-to-site VPN (or vice-versa)

$

0

0

Ok let me describe my scenario:
We are currently designing our Azure network connections to the on-premise environment for a future customer project.
Our first test to connect an on-premise environment was successful, so we finished our naming convention and wanted to deploy the final PoC.
The PoC-connection was now deployed to the same Azure subscription (MSDN) where we deployed the first draft, with the draft still being present.
Trying to deploy the PoC failed yesterday with the following error:
statusMessage": "ResourceOperationFailure"\"The resource operation completed with terminal provisioning state 'Failed'."\"InternalServerError"\"An error occurred."
After the earlier cleanup I tried to redeploy the Site-To-Site connection again.
Another provisioning failed with the same error. 
Further provisionings appear to be failing with the same error.
Changing the subscription to another does not appear to help.
I have now changed the Azure location from westeurope to northeurope, but am not successful either.

Cannot RDP from on-prem machine to Azure VM while using point-to-site VPN

August 28, 2018, 4:21 pm

≫ Next: How to configure SNAT without connection restrictions

≪ Previous: Azure Site-To-Site VPN Setup fails with ResourceOperationFailure

$

0

0

Did you ever resolve this? I am having the same issue

How to configure SNAT without connection restrictions

August 22, 2018, 8:40 pm

≫ Next: Prefix requirements on UDR

≪ Previous: Cannot RDP from on-prem machine to Azure VM while using point-to-site VPN

$

0

0

I am evaluating Azure Firewall.

I want to send to the Internet as SNAT, and I want to allow it all.

To summarize simply, I would like to browse without allowing a specific FQDN in the network structure of the tutorial.

https://docs.microsoft.com/en-US/azure/firewall/tutorial-firewall-deploy-portal

Can I make such a setting?

Network Collection Rule reject 0.0.0.0/0 (It means Internet in the Route Table) 

Prefix requirements on UDR

August 19, 2018, 2:23 pm

≫ Next: connecting VNET to different expressroutes with different autonomous system numbers

≪ Previous: How to configure SNAT without connection restrictions

$

0

0

My company contracted to have our Azure environment build for us to expedite our migration.  So I am inheriting resources that I have a question about.

We are using UDR's to force traffic through a CheckPoint virtual appliance.  These UDR's are cumbersome in that we were guided to explicitly define every network for our "On Premise" with a specific route entry.  So each route table has 37 statically defined routes to the same IP address as the default route.  The only route entry in each table that doesnt point to the checkpoint is the route to itself which uses "Virtual network".   I was told Azure resources have to exactly match the routed network's prefix mask with what is advertised to ExpressRoute via BGP.

My question is, is this really necessary?  

Thanks in advance for any response you can offer!

Per

connecting VNET to different expressroutes with different autonomous system numbers

March 23, 2018, 5:20 pm

≫ Next: Cisco ASA Route Based VPN with IKEv2, VTi and BGP

≪ Previous: Prefix requirements on UDR

$

0

0

Hi Azure Team,

We are currently planning to build an IAAS environment in Azure and we will have to connect a single VNET to two different expressroutes connecting to two Data Centres using different AS #. Can you please confirm if this is possible?

Thanks

Daryl

Cisco ASA Route Based VPN with IKEv2, VTi and BGP

February 27, 2018, 1:31 am

≫ Next: Communication between pods in different AKS cluster which are in same resource group

≪ Previous: connecting VNET to different expressroutes with different autonomous system numbers

$

0

0

Hi all,

My customer and I have been attempting to create a Route Based VPN to Azure from a Cisco ASA. A few other people around the internet have been able to achieve this but documentation is sparse.

We've been able to establish the tunnel without issue, but we're unable to bring BGP up. The Azure BGP PeerID is unreachable from the ASA and the BGP neighbourship remains down. When we use static routing over these tunnels Azure is reachable.

The use of BGP is so that eventually we can establish multiple tunnels with failover - static routing with a primary and secondary tunnel (even with routing weights added) caused asymmetric routing, as Azure tried to return traffic over either tunnel. The configuration below focuses on one tunnel.

We're deploying the tunnel with powershell as follows:

$gatewayName                  = "HQVPN"
$connectionNamePrime          = "vpnssPrime"
$localNetworkGatewayPrime     = "ISPPrimary"
$localNetwork1                = "169.254.11.1/32"
$localNetworkGatewayPrimeIP   = "x.x.x.x"
$remoteBgpPeerPrimeIP	      =	"169.254.11.1"
$localASN		               = "65010"
$remoteASN		               =	"65050"
$sharedKey                    = "OurSharedKey"

$ipsecpolicy = New-AzureRmIpsecPolicy `
-IkeEncryption AES256 `
-IkeIntegrity SHA384 `
-DhGroup DHGroup24 `
-IpsecEncryption AES256 `
-IpsecIntegrity SHA256 `
-PfsGroup PFS24 `
-SALifeTimeSeconds 86400 `
-SADataSizeKilobytes 49152

foreach ($subscription in $subscriptions) {
  $subscriptionName = $subscription.Name
  $resourceGroup    = $subscription.ResourceGroup
  $location         = $subscription.Location
  $environment      = $subscription.Environment

  Select-AzureRmSubscription -SubscriptionName $subscriptionName

  $vnetGateway = Get-AzureRmVirtualNetworkGateway -Name $gatewayName  -ResourceGroupName $resourceGroup
  $vnetGateway.EnableBgp = $true
  $vnetGateway | Set-AzureRmVirtualNetworkGateway -Asn $localASN

 New-AzureRmLocalNetworkGateway -Name $localNetworkGatewayPrime `
    -ResourceGroupName $resourceGroup `
    -Location $location `
    -GatewayIpAddress $localNetworkGatewayPrimeIP `
    -Asn $remoteASN `
    -PeerWeight $routingWeightPrime `
    -BgpPeeringAddress $remoteBgpPeerPrimeIP `
    -AddressPrefix $localNetwork1
 
 $localGatewayPrime = Get-AzureRmLocalNetworkGateway  -Name $localNetworkGatewayPrime -ResourceGroupName $resourceGroup
 
 New-AzureRmVirtualNetworkGatewayConnection `
    -Name $connectionNamePrime `
    -ResourceGroupName $resourceGroup `
    -VirtualNetworkGateway1 $vnetGateway `
    -LocalNetworkGateway2 $localGatewayPrime `
    -RoutingWeight $routingWeightPrime `
    -Location $location `
    -ConnectionType IPsec `
    -IpsecPolicies $ipsecpolicy `
    -SharedKey $sharedKey `
    -EnableBgp $true `
    -UsePolicyBasedTrafficSelectors $false

The Cisco configuration is as follows:

!
crypto ikev2 policy 1
 encryption aes-256
 integrity sha384
 group 24
 prf sha384 sha256 sha
 lifetime seconds 86400
!
crypto ipsec ikev2 ipsec-proposal AES256-AZ
 protocol esp encryption aes-256
 protocol esp integrity sha-256
!
!
group-policy AzureS2S internal
group-policy AzureS2S attributes
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-tunnel-protocol ikev2
!
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x general-attributes
 default-group-policy AzureS2S
tunnel-group x.x.x.x ipsec-attributes
 isakmp keepalive threshold 60 retry 5
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
!
!
 interface Tunnel11
 nameif VPN-AZURE
 ip address 169.254.11.1 255.255.255.0
 tunnel source interface OUTSIDE
 tunnel destination x.x.x.x
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile AZR-PROF
!
!
route VPN-AZURE 10.5.255.254 255.255.255.255 x.x.x.x
!
!
router bgp 65050
 bgp log-neighbor-changes
 address-family ipv4 unicast
  neighbor 10.5.255.254 remote-as 65010
  neighbor 10.5.255.254 ebgp-multihop 255
  neighbor 10.5.255.254 activate
  network 192.168.1.0 mask 255.255.255.224
  network 192.168.2.0 mask 255.255.255.224
  network 192.168.3.0 mask 255.255.255.224
  network 192.168.4.0 mask 255.255.255.240
  no auto-summary
  no synchronization
 exit-address-family
!

Thanks,
SJ

---

Communication between pods in different AKS cluster which are in same resource group

August 29, 2018, 10:05 pm

≫ Next: Azure Traffic manager probe status with 302

≪ Previous: Cisco ASA Route Based VPN with IKEv2, VTi and BGP

$

0

0

Hello Team,

Could you please provide a reference to understand on how the pods in 2 different AKS cluster (but same resource group) would communicate with eachother ?

Regards,

Shilpa

Azure Traffic manager probe status with 302

August 26, 2018, 8:25 pm

≫ Next: Azure Firewall Preview - When will this be production ready?

≪ Previous: Communication between pods in different AKS cluster which are in same resource group

$

0

0

Hi All,

In our infra, traffic manager probe is returning Status code as 302 which as per the article is redirect code.

Can anyone suggest if this can be considered successful or only Status 200 is successful

Azure Firewall Preview - When will this be production ready?

August 30, 2018, 3:57 am

≫ Next: Policy Based S2S + VNET to VNET

≪ Previous: Azure Traffic manager probe status with 302

$

0

0

Hi All - I understand that the Azure firewall is in preview.  Does anyone know roughly when this will be production ready?

Thanks,

Scott

Policy Based S2S + VNET to VNET

August 30, 2018, 11:59 am

≫ Next: ExpressRoute to multiple on-premise location

≪ Previous: Azure Firewall Preview - When will this be production ready?

$

0

0

I have a vnet with a policy-based gateway. I would like to connect this vnet to another vnet in another region. It doesn't look like this can be achieved with a "VNET to VNET" connection or peering with gateway transit. Is there an alternate mechanism that would allow me to connect the networks?

ExpressRoute to multiple on-premise location

August 30, 2018, 1:17 pm

≫ Next: Trying to add an additional route in Azure VPN Tunnel to On-Premise network

≪ Previous: Policy Based S2S + VNET to VNET

$

0

0

Hello experts,

I have a customer who needs to connect its primary Datacenter to Azure using ExpressRoute, in addition to this connectivity requirement, the customer also has requirement to connect another Datacenter hosted by a 3rd party hosting companies to the same ExpressRoute circuit to Azure.

Is this a technically feasible scenario and what are the gotchas if any