ISO Azure Cloud Architect For Help with VPN Gateway Issues

I have been banging my head against my desk all day. My original post is https://www.reddit.com/r/AZURE/comments/1cnaojo/azure_point_to_site_vpn_gateway_unable_to/

In short I have a Point to Site VPN Gateway in VNET1. I need connections to be able to talk to a VM on VNET2. I have created Peering, NSG rules, and “Connections” to the VNET2 from VNET1/P2S VPN Gateway. I cannot for the life of me figure out why I still cannot ping. The tracert does not even leave my router when I tracert to the private ip of the VM.

The VPN Gateway is in a different region than the VNET the VM is on - though it is my understanding that they can still communicate using Peering despite being in different regions.

Just asking for like 30 minutes of someone’s time to help take a look via chat.

TIA

Icmp isn’t usually available in Azure networks.

Use powershell Test-NetConnection

Ping isn’t always available by default. If you don’t have an NSG on the VM that explicitly allows ICMP traffic, it will be blocked.

Try connecting to the VM using RDP instead.

Do you have a routing table applied to the subnets in vnet2?

If you look at effective routes on the VM do you see the route for the VPNed traffic?

For routes to propagate you have to have option 3 checked on the VNG side and option 4 on the opposite side in the peering.

Is it a Windows vm? If so did you check to see if the firewall is off?

Try running a test in Network Watcher. Tracert doesn’t work for this scenario.

If everything is configured correctly and still not working, try removing and reinstalling the P2S VPN profile.

Have you tested to connect against something in VNET1? Just for verify that is ok prior to moving on to a resource in the peered VNET.

I’ve also not tried it but technically the VNGs do have IP addresses assigned to them. So you MAY be able to trick it with a UDR but I suspect that will not work due to how Azure does their shenanigans.

Sounds like DNS isn’t configured, or maybe a missing route table

A quick checklist to troubleshoot your Point-to-Site VPN setup:

1. Check Peering Settings: Ensure that peering configurations allow traffic to and from both VNETs. You need to enable gateway transit on the VPN gateway VNET and allow forwarded traffic from the VPN gateway to the peered VNET.
2. Network Security Group (NSG) Rules: Double-check your NSG rules. Make sure you have rules in place that allow the desired traffic on all necessary ports and protocols.
3. Routing Issues: Verify if the route tables are properly configured to route traffic between the VNETs via the VPN gateway. Check the effective routes on your VM to ensure they include routes for the VPN traffic.
4. Firewall Settings: Since you’ve turned off the firewall on your VM, consider potential blocks at other points in your network.

If you’re still stuck after these checks, Azure Network Watcher can be a powerful tool to diagnose further. Here’s a guide on setting up and using Azure Network Watcher for troubleshooting: Using Azure Network Watcher.

Option 3 being “allow gateway or route server in “VNET1” to forward traffic to “VNET2””correct? That is checked for the VNET1 peer to VNET2. Along with the first 2

I’m VNET2’s peering you’re saying I should allow option 4 which is to “enable VNET2 to use “VNET1’s” remote gateway or route server”, correct? When I check that I get an error because there is already a gateway configured in VNET2 which is a separate site to site tunnel for on-prem use.

Is there a way to still make this work?

it is a windows server vm. Firewall is Off for domain, private, and public

I can ping the public IP of the VPN Gateway. I don’t have any other resources in this VNET but I suppose yes I could spin something up and test

Ah yes… Azure being azure…

Do you have Azure Firewalls or any other NVA in VNET 1?

You could change the vnet peering to be between the VNG in each VNET. That may provide you the path you’re looking for

Configure the s2s on the gateway in vnet 1 and remove the gateway in vnet 2. Run the s2s and p2s on the same gateway in vnet 1. Also review hub and spoke networking in Azure Hub-spoke network topology in Azure - Azure Architecture Center

Well turn that shit back on…

No azure firewalls in place. Can confirm that I can RDP into a VM on the same vnet as VNET1 (cannot ping however despite creating a specific NSG rule for ICMP). Oh well.

Can you explain on your last paragraph? The peering is between the VNET the VNG subnet is on and the VNET where the server is hosted.

I cannot remove the s2s in vnet1 it’s our production vnet that goes back to our physical office sites.

Since you have a VNG in both VNET 1 and VNET 2 you can move the vnet peering from your normal VNET peering to have the VNET peering be over the VNGs.

Keep in mind pricing and performance is different.

add the p2s config to the existing gateway running the s2s?