0

I am testing a scenario where we need to forward all traffic to a VM, then this VM should forward the traffic to the intended machine. (cannot say "why").

  1. Created Vnet "VN", Subnet "SN", 3 NICs, and 3 VMs (using: Standard_DS1_v2 size and the latest Win 2022 image).
  2. All are in one Azure region under the same account and subscription.
  3. Created routing table "RT" and added two routes.
  4. Made VM2's IP static.
  5. Enabled IP Forwarding on VM2.
  6. Disabled Windows Firewall on all VMs.

IPs are:

VM | IP ---------------------- VM1 | 10.3.1.4 VM2 | 10.3.1.5 VM3 | 10.3.1.6

RT Routes:

Name | Address Prefix | Next Hop Type | Next Hop Address ---------------------------------------------------------------------------- VM1-VM3 | 10.3.1.6/32 | Virtual Appliance | 10.3.1.5 VM3-VM1 | 10.3.1.4/32 | Virtual Appliance | 10.3.1.5

Before attaching the RT routing table to the SN subnet, networking is ok and I can ping from anywhere to anywhere.

After attaching the RT to SN, ping from any to any message "Request timed out".

What I tried:

  1. different subnets: not working either.
  2. adding nsg and allowing ICMP.
  3. adding nsg and allowing all traffic (any to any).
  4. recreating the whole thing.
  5. a different account and subscription.
  6. asked AI if it was possible. It replied "Yes".
  7. tried many YouTube videos with the same result. The only difference is that they use real (paid) Azure accounts.
  8. I even tried installing Routing and Remote Access Service (RRAS), configured it for LAN routing, and added static routes with the host's gateway as the gateway.

I am out of options, and have no clue.

What is wrong?

Improve this question
6
  • Do the VMs themselves know these routes? Commented Feb 21 at 4:56
  • What is the netmask? It appears all machines are in either same subnet, at least partially. Commented Feb 21 at 4:59
  • @grawity they are on the same subnet and work normally pinging each other until I attach the route Table to the subnet. the ping then stops. I assumed because the nva vm cannot forward the traffic as it is supposed to do. I have not seen anyone on YouTube configure routes on the vms themselves. and I assumed azure should manage it by default. Even, with each vm in a different vnet and with peering between them configured, pinging is working. it stops when attaching routing tables to them. Commented Feb 22 at 12:59
  • @vidarlo same subnet but if we want to re-route the traffic using UDRs it doesn't work. Commented Feb 22 at 13:03
  • Why do you want routing inside the same subnet? That doesn't really make sense as a concept. Everything in the same subnet is supposed to be reachable directly. Commented Feb 22 at 14:43

1 Answer 1

Reset to default
0

After a couple of weeks of thorough troubleshooting,

I was finally able to get it to work.

IP Forwarding Within the Same Subnet:

It appears that IP forwarding has no effect within the same subnet. While I couldn't find official confirmation of this behavior, my findings suggest it does not work this way which makes sense to me. However, this observation should be verified independently.

That said, the connection should have been functioning as expected. However, due to an incorrect CIDR entry in the routing table and User Defined Routes (UDRs), it was unable to establish connectivity. Once the issue was corrected, the setup worked as expected, since, to my knowledge, intra-subnet traffic does not consult — and is entirely unaware of — any routing tables or UDRs.

Testing on Subnets and VNets

When testing the setup across different subnets and virtual networks (VNets), the routing table was correctly configured. However, I initially deployed the setup using a script that included the following command:

az network vnet peering create --name "EastToCentral" --resource-group $resourceGroupEast --vnet-name $vnetEast \ --remote-vnet $vnetCentral --allow-vnet-access

By default, peering vnets disable IP forwarding. To enable it, the following additional switch was required:

--allow-forwarded-traffic

Once this switch was added, IP forwarding functioned correctly.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.