2

I've set up a minimal environment in Azure with one instance (Linux) in a private subnet and a virtual network gateway to connect to via IPSec. I followed the instuctions in the Azure docs and my setup should have the same setting as the one in the example.

I did all of this in Terraform and I'm using strongSwan as VPN client to connect to the gateway. I can establish a VPN connection via strongSwan with no problems. I've create my test instance in the FrontEnd subnet. To access my machine via SSH I've added another NSG rule to allow access on port 22. Up until this point everything works fine.

My problem is, that I'm not able to access the Internet from this machine.

What I've checked so far:

  • DNS resolution works fine
  • Linux has its default route set to the Azure gateway address (192.168.1.1)
  • The NIC is attached to NSG which only has the default rules for outbound traffic (allowing all outbound traffic)
  • There are no custom routing rules
  • According to the Azure docs SNAT/PAT should be automatically applied in my scenario.

Am I missing something?

Edit: I forgot to mention that the NIC of the instance only has a private IP.

raidlman
  • 355
  • 2
  • 14
  • Ensure you haven't configured a custom User Defined Route on the Vnet. https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview – Ken W - Zero Networks Mar 06 '19 at 17:53

1 Answers1

3

It's likely that you could not verify the internet connectivity correctly from that Azure VM. I have the same scenario as this question. You could try to verify this via ping bing.com on the Azure machine. It seems that some websites could not ping, however, you could access these websites directly via Web Browser or curl to download content from the internet.

I have set up a P2S VPN connection on windows local desktop with one Azure VNet, which has a GatewaySubnet and a VMsubnet. One windows VM and one ubuntu VM in the VMsubnet. Both VMs do not have instance-level public IP.

Generally, Azure VM has a system default gateway locally in the same subnet. This gateway helps route all outbound traffic from the primary network interface. If a VPN gateway set up, Azure will generate automatically a route to P2S on-premise subnet. By default, there is also a default route 0.0.0.0/0 to the Internet in the effective routes.

enter image description here

I could access the google.com and bing.com in the web explorer but can not directly ping google.com, can ping bing.com on the windows VM. enter image description here

With the same situation, I also can not directly ping google.com, but can ping bing.com on the Linux VM or curl www.google.com.

enter image description here

Hope this helps, let me know if you have any question.

Nancy
  • 26,865
  • 3
  • 18
  • 34
  • Thanks for pointing this out. curl/wget are working as expected. I knew that google does not respond to pings so I usually use some other site or the google DNS service. Strangely, it seems like I cannot ping any public IP in my setup. Any idea why this is? My effective outbound rules say that all outgoint traffic to Internet is allowed. Does this not include ICMP packages? – raidlman Mar 08 '19 at 10:51
  • 2
    Because Azure blocks ICMP by default at the Azure Load Balancer level to avoid any targeted Ping/ICMP flood attacks, which are a type of DDoS attacks. Refer to [this1](https://www.quora.com/Why-does-Azure-block-ICMP) and [this2](https://blogs.msdn.microsoft.com/mast/2014/06/22/use-port-pings-instead-of-icmp-to-test-azure-vm-connectivity/) and [this3](https://feedback.azure.com/forums/216843-virtual-machines/suggestions/6423260-enable-icmp-traffic-to-azure-vms-over-the-internet) – Nancy Mar 11 '19 at 01:58