Can i route traffic from remote offices thru BOVPN to Azure?

Comments

• PhilT_VIT

  July 15

  A few things come to mind in this scenario.

  The IP addresses in your description don't quite match the ones in the diagram - hopefully Azure has the correct subnets in the local network gateway definition?
  (I've seen it happen where one set of IP addresses is on the configuration, but a tech kept putting in the wrong IP addresses thinking the setup was something else).

  Make sure the VNet definition in Azure doesn't overlap the one for the two offices (as in make sure it's not something like 172.30.0.0/16 as it normally defines a /16 which you then carve out different networks from that - again have seen that happen which required changing the Azure VNet to a /17 to fix it in the case I saw).

  By extension, do the WatchGuard appliances at offices B and C have the correct routes to the Azure subnet, and moreover since it is a "LAN extension", are the appropriate policies in place for allowing traffic to/from Azure on all the appliances?
  Do you see any messages on the "Central WatchGuard" appliance (may need to add a policy to explicitly log such traffic for testing)?

  0
• AdminTI

  July 16

  Hi Phil,

  Indeed the VMNet at Azure is /16, i decrased to /17 and adjusted routes on office B and C Wartchguard.

  Watchguard at office B and C are setup to route traffic for Azure subnet to 172.16.1.1.

  Tracerouting from Office B or C, i got thru respective office Watchguard, then Central Watchguard, then Internet, this is why i am guessing i missed something on the central Watchguard.

  From the HQ
  tracert -d 172.30.200.6

  Tracing route to 172.30.200.6 over a maximum of 30 hops

  1 <1 ms <1 ms <1 ms 172.16.1.1
  2 13 ms 12 ms 12 ms 172.30.200.6

  From Office B
  tracert -d 172.30.200.6

  Tracing route to 172.30.200.6 over a maximum of 30 hops

  1 <1 ms <1 ms <1 ms 172.30.2.1
  2 21 ms 20 ms 22 ms 172.16.1.1
  3 20 ms 20 ms 20 ms [redacted external IP of central Watchguard]

  0