Issue with Azure VPN and Entra Domain Services - No internet

I am in the process of configuring Microsoft Entra Domain Services.
Domain services sit within its own VNET with a Subnet of 10.0.0.0/24 and hosts DNS record
A separate VNET exists for our VMs in a subnet of 10.50.200.0/28 -uses the DNS records of the Domain VNET to allow domain join.

I am using Azure VPN Client to connect to the Server VM, and when connecting, can access servers - and from the servers access the internet.

From my client PC, whilst connected to the VPN, I lose internet access when connected, appears to be a DNS issue.

On a server VM, I have installed DNS tools and configured Conditional Forwarders on the Azure Domain DNS servers, but this did not help (forwarders sent to dns google and Azures own public DNS servers)

I’ve checked VPN Additional routes and have nothing configured here. The only routes advertised are those that exist in the VNET it connects to.

Any idea what im missing here?

I recently came to realize that I had this problem as well. I had deployed an Azure P2S VPN about 2 months ago, then I later added an Entra Domain Services domain to my tenant. Last week, I noticed that when my VPN was connected, my local laptop lost all Internet connectivity.

Through testing, I realized that if I removed the DNS Server entries from the VNet which hosts my VPN, all local Internet connectivity was restored. This strongly suggested that the issue was with the Entra DS and the associated DNS components.

On a hunch, I decided to redownload the VPN Config from the portal and compare it to the config I had loaded in Intune for deployment to our Laptops. It was then that the issue was obvious - the DNS Servers from the Entra DS deployment ARE part of the VPN Config, which makes sense. Since my VPNConfig was deployed prior to the deployment of Entra DS, the config was missing these entries.

These entries look like this;

<clientconfig>
    <dnsservers>
      <DnsServerEntry>
        <dnsserver>10.1.2.4</dnsserver>
      </DnsServerEntry>
      <DnsServerEntry>
        <dnsserver>10.1.2.5</dnsserver>
      </DnsServerEntry>
    </dnsservers>
    <excluderoutes i:nil="true" />
    <includeroutes i:nil="true" />
  </clientconfig>

After adjusting the VPNConfig in Intune so that it contained the DNS Nodes, the issue persisted. After a bit of cursing and complaining, I searched for some documentation about the schema of this XML file and that is when I stumbled onto the final fix for this issue.

It turns out, the schema for this document does NOT match the actual document you get when downloading your VPN Config from the Azure Portal. The correct schema for this block of config is actually as follows;

  <clientconfig>
    <dnssuffixes>
        <dnssuffix>.mydomain.com</dnssuffix>
    </dnssuffixes>
    <dnsservers>
        <dnsserver>10.1.2.4</dnsserver>
        <dnsserver>10.1.2.5</dnsserver>
    </dnsservers>
  </clientconfig>

Note the omission of the “DnsServerEntry” wrapper nodes.

Once I loaded THIS structure into Intune and pushed down to my device, the issue went away completely. Now, when I am connected to our VPN, I do not lose Internet connection and everything seems to be back to working as expected.

Hope this helps other people who hit this issue.

We are also running Cisco Umbrella. I’ve found some ambiguous articles on this that would suggest Umbrella is not supported with the Azure VPN Client - suspect this may be causing the loss of internet connectivity im seeing. (will confirm from a non domain PC later).

Disabled Umbrella service and App, still didnt work.

I ended up setting the Server VNET to use Azure DNS services, connected to VPN again and it worked.
I then set each VM to have its own static DNS, pointed to servers in the Domain VNET and this worked.

Still not sure what I did wrong, I would have though the server VNET being set to use DOMAIN DNS would habe worked - but apparently not.

Looks like traffic is blocked from your PC/Laptop. Do you need to access the internet via Azure from your client machine? If not, config split tunnel, where your client machine access the internet directly.

The issue is the default disablement of non-transition of packets from Spoke VNets, and it’s not recommended to do otherwise.

Old version of Windows 10 perhaps? May need to check if split tunnelling is enabled.

Are you running P2S or S2S VPN?

Possibly the Entra subnet doesn’t have routing to your VM subnet, so it can’t answer dns queries

You’ll need a FW to sort out what and where the traffic needs to be routed.

Amazing mate - thanks for the detailed explanation.

Spot tunneling enabled by default on P2S VPN. I tried forced tunneling also, but negative on internet to the client

Nah, Windows 11 on client machine.

Seems to be DNS.

Server VNET with Entra Domain as it’s DNS, fails.
Server VNET with Azure DNS, successfull.

I ended up leaving Server VNET with Azure DNS and then set static DNS on the server to point at Entra Domain.

VMs can ping DNS servers, access domain and internet etc. it’s just the client using VPN that cannot.

Even when it’s not DNS, it’s always DNS.