NVA without NAT in azure for INTERNET access

Question

I try to setup custom NVA (simple router with application specific functions) for my azure VNET.

My network:

internet <->subnet 1 with NIC1(NVA) <-> subnet 2 with NIC2 (NVA) and VM

I wish to filter in NVA VM traffic to/from internet.

As far as i understand i can use UDR to route outgoing traffic from VM to internet via NVA (and also i set forwarding flag on NVA NICs).. this step work ...

But after that i have problem . my simple NVA just forward packet from one interface to another (its simple router) - > so packet from NIC2 (with src IP of VM, and dst IP of internet service) forwarded to NIC1 and send to subnet 1 with original src IP (with src IP of VM, and dst IP of internet service)... and i cant see any answer from internet service.

So I have questions:

• can i create working solution for my case (when NVA not using NAT)

• can somebody tell me why my traffic drop somewhere and i can not see anwer in VM (i understand that traffic must not go thru my NVA, but why i can not see answer?)

• has Azure roadmap any plan to support source-based routing policy (as linux have) in UDR ?

Answer 1

When you send the traffic via NVA which is indented to Internet, SNAT is done on NVA so that the return traffic will be received by the NVA and sent back to VM.

This is the general behavior. If you are not using NVA for filtering of traffic and just for monitoring purpose, you can achieve your ask by the new feature called Virtual Network Tap. Using this technique, you can mirror all the traffic which is initiated by the VM to an NVA without using complex UDR and still maintain Source IP as your VM's Public IP address.

Reference: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-tap-overview