Hi Wojtek,
The steps you would like to perform are very close, but a few adjustments are needed.
Architecturally, you need to adjust the interface where the traffic is received and sent. The setup you are attempting is very common, but it requires a slight modification. All non-Internet-bound traffic should be received and sent through eth1, not eth0. The general rule of thumb is:
- East-West traffic should always use eth1 (in VMSS and HA deployments in Azure)
- Egress and Ingress traffic (to/from the Internet) should always use eth0 (in VMSS and HA deployments in Azure)
The Load Balancer deployed by the ARM template on the frontend (eth0) is an external-facing Load Balancer. The backend (eth1) Load Balancer is a Standard Internal Load Balancer that forwards traffic to the active members.
You should expect the traffic flow to work as follows:
Internal Host SRC → UDR to the Internal LB behind eth1 of the firewall → One of the active members → Hide NAT behind eth1 (as desired) → Internal Host DST
In VMSS deployments, the required Dynamic Objects for this setup should already exist. These are configured during gateway provisioning using CME. The following objects are pushed automatically:
LocalGatewayExternal → Translates to eth0LocalGatewayInternal → Translates to eth1
You can confirm this by running the following command on the gateways:
dynamic_objects -l
To summarize the required changes for your setup:
- Ensure the UDR points traffic to the Internal Load Balancer behind eth1
- Configure the Hide NAT rule to use a Dynamic object called
LocalGatewayInternal (Name must match 100%)
- Keep eth0 dedicated only for Internet ingress/egress traffic
- Verify the Dynamic Objects on the gateways using
dynamic_objects -l
- Confirm that
LocalGatewayInternal is matching between the Smart Center and Gateway by running the command dynamic_objects -c on the gateway
This should provide the behavior you are expecting.
Best regards,
Dan Morris | Cloud Security Architect – Cloud Security R&D
