Search code examples
azureazure-virtual-networkazure-vpn

Cannot connect to Internet from instance in private subnet

I've set up a minimal environment in Azure with one instance (Linux) in a private subnet and a virtual network gateway to connect to via IPSec. I followed the instuctions in the Azure docs and my setup should have the same setting as the one in the example.

I did all of this in Terraform and I'm using strongSwan as VPN client to connect to the gateway. I can establish a VPN connection via strongSwan with no problems. I've create my test instance in the FrontEnd subnet. To access my machine via SSH I've added another NSG rule to allow access on port 22. Up until this point everything works fine.

My problem is, that I'm not able to access the Internet from this machine.

What I've checked so far:

  • DNS resolution works fine
  • Linux has its default route set to the Azure gateway address (192.168.1.1)
  • The NIC is attached to NSG which only has the default rules for outbound traffic (allowing all outbound traffic)
  • There are no custom routing rules
  • According to the Azure docs SNAT/PAT should be automatically applied in my scenario.

Am I missing something?

Edit: I forgot to mention that the NIC of the instance only has a private IP.

Solution

  • It's likely that you could not verify the internet connectivity correctly from that Azure VM. I have the same scenario as this question. You could try to verify this via ping bing.com on the Azure machine. It seems that some websites could not ping, however, you could access these websites directly via Web Browser or curl to download content from the internet.

    I have set up a P2S VPN connection on windows local desktop with one Azure VNet, which has a GatewaySubnet and a VMsubnet. One windows VM and one ubuntu VM in the VMsubnet. Both VMs do not have instance-level public IP.

    Generally, Azure VM has a system default gateway locally in the same subnet. This gateway helps route all outbound traffic from the primary network interface. If a VPN gateway set up, Azure will generate automatically a route to P2S on-premise subnet. By default, there is also a default route 0.0.0.0/0 to the Internet in the effective routes.

    enter image description here

    I could access the google.com and bing.com in the web explorer but can not directly ping google.com, can ping bing.com on the windows VM. enter image description here

    With the same situation, I also can not directly ping google.com, but can ping bing.com on the Linux VM or curl www.google.com.

    enter image description here

    Hope this helps, let me know if you have any question.