Dear community,
How can I prohibit routing between two subnets in a VNet, resp. route all traffic via a virtual machine (FW appliance)?
In my setup I've a VNet with network 10.10.0.0/16. This VNet has two subnets; subnetA with 10.10.1.0/24 and subnetB with 10.10.2.0/24. Furthermore I've a virtual machine (VM) with two NICs and those are attached to both subnets using the last IP of the net (.254) since the first three IPs (.1-.3) are always reserved for the virtual routers.
What I try to achieve is that all traffic between subnetA and subnetB is routed via the VM but not via the virtual Azure router. For this I've created two Route tables with one "default" route each:
routeA, prefix 0.0.0.0/0, next hop type "virtual appliance", next hop address "10.10.1.254"
routeB, prefix 0.0.0.0/0, next hop type "virtual appliance", next hop address "10.10.2.254"
Those Route tables are assigned to subnetA resp. subnetB.
It looks like those routes are considered for all external traffic which means outside of 10.10.0.0/16. As an example when I try to ping IP 8.8.8.8, ICMP traffic is routed via my virtual machine. However I traffic from a VM in subnetA to a VM in subnetB does not pass my "firewall" VM!
I also tried to add an additional, more specific, route to each Route table for 10.10.0.0/16 via the IP of my VM in each subnet but then I cannot reach the other VMs attached to those subnets anymore.
Does anybody has an idea why not all traffic is routed via my "firewall" VM? Your help is much appreciated.
Thanks a lot and best regards,
Roger