endpoint IP flows via the normal path or via Azure private path hidden from the user ?

Question

endpoint IP flows via the normal path or via Azure private path hidden from the user ?

Gongya Yu (admin) 0

We have an endpoint behind the security appliance in the Hub vnet. pinging the endpoint shows the security appliance IP, but tcp traffic does not show in the security appliance log.

Like to what I might have missed.

thanks !!

Luke Murray 11,436 Reputation points MVP Volunteer Moderator

2025-06-01T08:02:33.44+00:00

Hey, Gongya. Is this endpoint a resource with a Private endpoint? If so make sure you have enabled Network policy on the subnet. Traffic may be getting routed through the Azure backplane, bypassing your security appliance, enabling Network policy will force the traffic through your user defined route, to the firewall.
Sindhuja Dasari 1,520 Reputation points Microsoft External Staff Moderator

2025-06-03T00:35:32.35+00:00

Hello Gongya Yu (admin)

Following up to see if the provided information was helpful. And, if you have any further query do let us know.
Alex Burlachenko 8,765 Reputation points

2025-06-03T09:18:59.36+00:00
Gongya hi there! thanks for dropping this question. and a lot of nice experts here tring to help u Luke Murray hi ))))
I'll and my coin to that issue, so azure has this thing called 'service endpoints' and 'private endpoints' that can bypass the security appliance without telling u )) it's like a secret tunnel microsoft built for some services. if ur endpoint is using one of these, tcp traffic might be taking the private express lane while ping still goes through the normal checkpoint.

check if ur endpoint has any service endpoints enabled. look at the subnet settings in the vnet. microsoft docs explain it service endpoints overview another culprit could be private endpoints. these create private IPs for azure services that completely bypass the security appliance. private endpoints

disable any service endpoints on that subnet temporarily (just for testing). check if the private endpoint is configured for that resource. run a tcp traceroute (tcptraceroute on linux or psping on windows) to see the actual path.

and enable nsg flow logs on both the source and destination subnets. they'll show u exactly where packets are going missing. microsoft has a great guide for nsg flow logs

hope this helps! let us know what u find out

Best regards,

Alex

and "yes" if you would follow me at Q&A - personaly thx. P.S. If my answer help to you, please Accept my answer PPS That is my Answer and not a Comment

https://ctrlaltdel.blog/
Sindhuja Dasari 1,520 Reputation points Microsoft External Staff Moderator

2025-06-04T10:02:28.03+00:00

Hello Gongya Yu (admin)

Following up to see if the provided information was helpful. And, if you have any further query do let us know.

1 answer

Your answer

Luke Murray 11,436 Reputation points MVP Volunteer Moderator

2025-06-01T08:02:33.44+00:00

Hey, Gongya. Is this endpoint a resource with a Private endpoint? If so make sure you have enabled Network policy on the subnet. Traffic may be getting routed through the Azure backplane, bypassing your security appliance, enabling Network policy will force the traffic through your user defined route, to the firewall.
Sindhuja Dasari 1,520 Reputation points Microsoft External Staff Moderator

2025-06-03T00:35:32.35+00:00

Hello Gongya Yu (admin)

Following up to see if the provided information was helpful. And, if you have any further query do let us know.
Alex Burlachenko 8,765 Reputation points

2025-06-03T09:18:59.36+00:00

Gongya hi there! thanks for dropping this question. and a lot of nice experts here tring to help u Luke Murray hi ))))
I'll and my coin to that issue, so azure has this thing called 'service endpoints' and 'private endpoints' that can bypass the security appliance without telling u )) it's like a secret tunnel microsoft built for some services. if ur endpoint is using one of these, tcp traffic might be taking the private express lane while ping still goes through the normal checkpoint.

check if ur endpoint has any service endpoints enabled. look at the subnet settings in the vnet. microsoft docs explain it service endpoints overview another culprit could be private endpoints. these create private IPs for azure services that completely bypass the security appliance. private endpoints

disable any service endpoints on that subnet temporarily (just for testing). check if the private endpoint is configured for that resource. run a tcp traceroute (tcptraceroute on linux or psping on windows) to see the actual path.

and enable nsg flow logs on both the source and destination subnets. they'll show u exactly where packets are going missing. microsoft has a great guide for nsg flow logs

hope this helps! let us know what u find out

Best regards,

Alex

and "yes" if you would follow me at Q&A - personaly thx. P.S. If my answer help to you, please Accept my answer PPS That is my Answer and not a Comment

https://ctrlaltdel.blog/
Sindhuja Dasari 1,520 Reputation points Microsoft External Staff Moderator

2025-06-04T10:02:28.03+00:00

Hello Gongya Yu (admin)

Following up to see if the provided information was helpful. And, if you have any further query do let us know.

Answer 1

Hello Gongya Yu (admin)
I understand that you're running into some routing issues with your endpoint behind the security appliance in the Hub VNet.

It seems that while the ping requests are going through the security appliance, TCP traffic is bypassing it, which could be due to the traffic being routed through Azure's network rather than your defined path.

Here are a couple of steps to help troubleshoot this:

If your endpoint is a Private Endpoint, make sure that network policies on the subnet are enabled. This setting forces the traffic through your user-defined routes (UDR), guiding it to the firewall.
Inspect the routing tables associated with your VNet and ensure that traffic destined for the endpoint is routed correctly through your security appliance.
Check any Network Security Groups (NSGs) that may be applied to your VNet. Sometimes NSGs can inadvertently allow, or block traffic based on predefined rules.
Utilize Azure Network Watcher to analyze the effective routes to your endpoint and diagnose any issues with network flow.

Please don’t forget to close the thread by clicking "Accept the answer" and "Yes" wherever the information provided helps you, as this can be beneficial to other community members.

Share via

endpoint IP flows via the normal path or via Azure private path hidden from the user ?

1 answer

Your answer