VPN -> VNet -peer- VNet -> VM connectivity

Category: azure virtualnetwork

Question

rhockstra on Fri, 05 May 2017 19:34:04


I've got comm between two VM's in two VNets in the same region, but can't VPN into the second VM. Do I need to allow forwarded traffic, or remote gateway access? I'm puzzled. Seems like it should work, but it isn't. 

PC-VPN--VNet-peer-VNet--VM. I can't ping the VM in the second VNet. There's a VM in the first VNet and I can ping from a VPN connected device, but not the second. The two VM's can ping eachother just fine. I hope this makes sense.

We have a VNet with a P2S VPN gateway and another VNet with a VM running SSRS, both in the same resource group and region. We want to be able to connect to the SSRS server through the VPN.

I don't think it's an issue on your end, just a configuration issue on my end. Thank you!

Ryan H




Replies

Loydon Mendonca on Sat, 06 May 2017 14:27:20


Lets assume your VNets are named as VNet1 (connected to your PC) and VNet2 (peered with VNet1). You will have to do the following to have this setup work for you as expected.

1- On Vnet1 you need to check the option "Allow Gateway Transit". This will ensure that VNet1 will direct traffic from your PC to VNet2. Without this option being checked, traffic will not be forwarded by VNet1.

2- On VNet2 check the option which says "Use Remote Gateways". This will tell VNet2 and its resources to use the VPN gateway of the peered VNet which in this case is the gateway of VNet1. 

Note:

1- Ensure that VNet2 does not have a VPN gateway configured. If it does then it cannot use Remote Gateways. 

2- You need to first perform step 1 before configuring VNet2 to use Remote Gateway. If the order is not followed then the transit will not be configured properly. 

A similar scenario for your understanding of how gateway transit works is described in this article. Follow the above steps and post back here if you have any additional queries.

rhockstra on Wed, 24 May 2017 14:55:03


Turns out the new routes don't update until the VPN client software (or profile) is removed and downloaded again. This is what was causing so much confusion on my side. All other VPN clients I've used will update any new routes when the VPN client connects each time.