Question

m002u2 on Wed, 22 Nov 2017 07:14:15


Sorry if this has been asked and answered before, I had a search but couldn't find the same situation.  This is all new infrastructure so it's all ARM, RouteBased, etc.

I am trying to connect to a 3rd party URL from an on-prem device, through Azure.  So:

on-prem -> (point-to-site) -> Azure VPN Gateway -> (site-to-site) -> 3rd party

Point to site address space: 172.16.0.0/24
Azure vnet address space: 10.3.0.0/16
3rd party address space: 10.100.0.0/16

I have put a VM in the Azure network as a middleman for testing, and I can connect from on-prem to the VM, and from the VM to the 3rd party site, however for some reason I can't get all the way through.  The weirdest part is that the 3rd party IP resolves correctly from the hostname, I just can't connect to the URL (it's HTTPS/443 if that matters).  If I run a tracert from on-prem I can see that 'tracert VM' first hop goes straight to the VPN gateway, however 'tracert 3rdparty' goes to my router->isp->fail.

Hopefully there's a way to make this work as it's vital to the project I'm working on.  I'm happy to try custom routes, or whatever it takes. Appreciate any suggestions.

Thanks!


Sponsored



Replies

Micah McKittrick on Wed, 22 Nov 2017 23:03:49


I believe you can achieve this by implementing User Defined Routes. 

This way you can ensure all traffic coming from 172.16.0.0/24 goes to 10.3.0.0/16 and from there is forced to 10.100.0.0/16

Here are some docs you might find useful: 

Create a User Defined Route 

Virtual Network Traffic Routing 

-Micah

Nirushi J on Thu, 23 Nov 2017 08:37:32


In addition to Micah, you can leverage transit routing on the Azure VPN Gateway if it is a route based gateway, but you will need to manually put the address prefixes of the 3rd party site (10.100/16) on your client device and add the routes of the P2S address space (172.16/24) in the 3rd party site.  This is where BGP is helpful in the S2S scenarios vs P2S as it will ensure all routes are propagated to all other BGP peers.

--------------------------------------------------------------------------------------------------

Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members

m002u2 on Sun, 26 Nov 2017 22:49:35


Thanks for the replies.  After playing around a bit and some help from Microsoft support, apparently what I had to do was enable BGP on both gateways (Azure and 3rd party), and add a custom route on my on-prem machine.  

To add the custom route, after downloading the VPN client from the Azure portal from the VPN Gateway blade and unzipping and installing, edit the routes.txt file %AppData%\Microsoft\Network\Connections\Cm\\*yourGuid*\routes.txt. Add a route to the 3rd party network address space (in my case 10.100.0.0/16) that goes through the Azure router (10.3.200.5).

In our case we also wanted Azure web apps to be able to do the same thing through integrating with the VNet, in which case we also had to uncheck the 'IKEv2 VPN' checkbox in the Azure gateway point-to-site blade.

Micah McKittrick on Mon, 27 Nov 2017 21:05:20


Thanks for coming back and filling us all in!

Happy you were able to get it resolved:)