Press "Enter" to skip to content
network topology depicting vnet peering between vnets

How to Route Network Traffic with a Linux Network Virtual Appliance on Azure

Published 9th May 2022 by Samuel O

How to Route Network Traffic with a Linux Network Virtual Appliance on Azure

Enable the IP Forwarding on the Network Interface of the VM in Azure
enable ip forwarding on azure virtual machine network interface

Enable the IP Forwarding in the VM

sudo sed -i 's/#net.ipv4.ip_forward=/net.ipv4.ip_forward=/' /etc/sysctl.conf
sudo sed -i 's/net.ipv4.ip_forward=0/net.ipv4.ip_forward=1/' /etc/sysctl.conf
sudo sed -i 's/#net.ipv6.conf.all.forwarding=/net.ipv6.conf.all.forwarding=/' /etc/sysctl.conf
sudo sed -i 's/net.ipv6.conf.all.forwarding=0/net.ipv6.conf.all.forwarding=1/' /etc/sysctl.conf
sudo sysctl -p

enable ip forawrding on ubuntu virtual machine


Add route on Route Table for outbound traffic via NVA on Azure
add route on route table for outbound traffic via nva on azure

added route on route table for outbound traffic via nva on azure

Associate Subnet to Route Table
associate subnet to route table on azure

Assess Network Topology to understand how traffic flow works
assess network topology to understand how traffic flow works

Check effective routes from the associate subnet network interfaces – in this guide, the presentation-tier vm
check effective routes on network interface towards the nva

It appears that a route has been injected into our effective routes. But from the topology diagram above, there isn’t a known connection between the hub virtual network and the production virtual network.

Verify IP Flow with Azure Network Watcher
use network watcher ip flow verify to check if traffic can get to a destination

Access is found to be denied because there is no physical connection between the VNets. I will now go ahead to create a VNet to VNet Peering so the two networks can begin communicating.

create a virtual network peer from the hub to the spoke networks
create a virtual network peer from the hub to the spoke networks

successfully created a virtual network peer from the hub to the spoke networks

Review the topology
network topology depicting vnet peering between vnets

Verify IP Flow to the NVA with Azure Network Watcher
use network watcher ip flow verify to check one more time if traffic can get to the nva

used network watcher ip flow verify to check one more time if traffic can get to the nva

Route Network Traffic with a Route Table and Network Virtual Appliance

In Windows

PS C:\> Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -Name IpEnableRouter -Value 1
PS C:\> New-NetFirewallRule -DisplayName "Allow ICMPv4-In" -Protocol ICMPv4


Name                  : {c66932ef-d397-4efc-83cd-75155dad403e}
DisplayName           : Allow ICMPv4-In
Description           :
DisplayGroup          :
Group                 :
Enabled               : True
Profile               : Any
Platform              : {}
Direction             : Inbound
Action                : Allow
EdgeTraversalPolicy   : Block
LooseSourceMapping    : False
LocalOnlyMapping      : False
Owner                 :
PrimaryStatus         : OK
Status                : The rule was parsed successfully from the store. (65536)
EnforcementStatus     : NotApplicable
PolicyStoreSource     : PersistentStore
PolicyStoreSourceType : Local



PS C:\>

Published in Cloud, Configuring, Linux, Networking and Routing

Expert Network Consultant