P2S VPN user connectivity issue in Azure virtual WAN

@Raviraj Velankar

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

Is it possible you can share a architecture diagram of your environment.

Per your verbatim, you have 2 VNets in each region, is that correct?

• Are you using 2 separate Hubs in your vWAN?
• One vHub and One VNet acting as Hub and the firewall is deployed in this VNet (i.e, not integrated)?

Multi Hub configurations are not recommended.

To enable connectivity to the secondary region, can you please make sure if "Branch-to-Branch" is enabled on the vWAN?

If not, can you please enable it and check if you are able to access the secondary region's Hub VNet?

Though you have added the routes to "Spoke VNet" in custom routing,

• I dont think these routes will be pushed into the P2S address range (as vWAN would not be aware of these routes)
• Basically, you are trying to achieve,
  P2S remote user ----> vHub ----> Spoke1 ----> Spoke2

Please let me know if secondary region's Hub VNet is accessible after enabling Branch-to-Branch.

Cheers,

Kapil.

@KapilAnanth-MSFT

Thanks for the response. I am trying to test use case given in following Azure documentation. (Routing through NVA)

https://video2.skills-academy.com/en-us/azure/virtual-wan/scenario-route-through-nva

Tried to replicate same setup. One vwan, two vwan hubs (one per region), each region has hub & spoke Virtual Network. Hub Vnet has NVA (only thing here is NVA is Azure FW and not third party NVA)

Yes There is two separate vwan Hubs under single vWAN resource

There are two virtual networks per region but out of that Hub Vnet is only connected to vwan Hub (as part of Vnet connection). Spoke Vnet is peered only with Hub Virtual Network and not directly with vWAN Hub.

Branch-to-Branch connectivity is enabled but still p2s remote user is not able to access resources in

• Local Hub Spoke Vnet
• Remote Hub - Hub Vnet
• Remote Hub - spoke Vnet

vWAN resource is Standard resource. Following is given on configuration page of vWAN resource

"Standard Virtual WAN supports any-to-any connectivity (Site-to-Site VPN, VNET, ExpressRoute, Point-to-site end points) in a single hub as well as across hubs"

Trying to test following scenarios

P2S User - Region1 Hub- VM in Region1 Hub Vnet (its working)

P2S User - Region1 Hub- VM in Region1 Spoke Vnet (not working)

P2S User - Region2 Hub- VM in Region2 Hub Vnet (not working)

P2S User - Region2 Hub- VM in Region2 Spoke Vnet (not working)

@KapilAnanth-MSFT

Trying to test following use case given in Azure document - "Routing through NVA"

https://video2.skills-academy.com/en-us/azure/virtual-wan/scenario-route-through-nva

Following is the Architecture

Single vWAN resource. SKU- Standard, Branch to Branch, Hub to Hub connectivity is enabled

two vwan Hub - one per region

Each region has one Hub Virtual Network and one Spoke Virtual Network

Only Hub Virtual Network is peered with respective vWAN Hub ( Vnet connection) and Spoke Virtual Network is peered only with Hub Virtual Network ( not with vWAN Hub)

NVA is Azure FW created in a "AzureFirewallSubnet" in respective region Hub Vnet and not integrated with vwan Hub

P2S VPN GW is created in EastUS2 vWAN Hub. Uses certificate based authentication.

With P2S user connected to P2S GW, trying to test following scenarios

1. P2S VPN User - VM in Region1 Hub Vnet (p2s user->region1 Hub->NVA in region1 Hub Vnet) --> Working
2. P2S VPN User - VM in Region1 Spoke Vnet (p2s user->region1 Hub->NVA in region1 Hub Vnet->region1 Spoke Vnet) --> Not Working
3. P2S VPN User - VM in Region2 Hub Vnet (p2s user->region1 Hub->region2 hub->region2 NVA-region2 Hub Vnet)--> Not Working
4. P2S VPN User - VM in Region2 Spoke Vnet (p2s user->region1 Hub->region2 hub->region2 NVA-region2 Spoke Vnet)--> Not Working

I understand that Branch to Branch using NVAs in between will not work hence not targeting that use case but Branch to Hub & Spoke should work.

In vWAN Hub config page it is given as "Standard Virtual WAN supports any-to-any connectivity (Site-to-Site VPN, VNET, ExpressRoute, Point-to-site end points) in a single hub as well as across hubs"

@Raviraj Velankar

Greetings

I was doing a lab throughout the night.

I did it for a single Region, with vHub, HubVnet and a SpokeVnet with AzFirewall in the HubVnet.

I was able to make it work successfully.

Please find my address spaces,

Region1

vHub : 10.0.0.0/16

HubVnet : 10.1.0.0/16

SpokeVnet : 10.2.0.0/16

P2SClientPool : 10.7.0.0/16

Addresses learned by my remote machine,

I would urge you to check the configuration once again and try to access the SpokeVnet (in the same region).

Some pointers to note

• I used IKEv2 + OpenVPN as Tunnel Type and used Azure VPN Client from MS Store
• I only have the defaultRouteTable and updated the routing to spokeVNet's address range here.
• I downloaded the P2S Configuration from the Hub (and not from vWAN).
• Make sure you allow the requests in the Azure Firewall (NVA) - I created a Any-to-Any Allow Network Rule here

Can you please use the above configurations and let me know if this works?

Cheers,

Kapil

@KapilAnanth-MSFT

Thank you for the response. Does it mean this setup will not work for vwan setup with two virtual hub in different regions

I can not use openSSL+Azure AD type of authentication for P2S VPN client because its a POC environment and I dont have access to Azure AD and other settings.

Following two steps was already done from my end

• Configured only defaultRouteTable and also added static route in Vnet connection to spokeVNet's address range with next hop as NAV IP address in Hub
• Downloaded the P2S Configuration from the Hub (and not from vWAN).
• Make sure you allow the requests in the Azure Firewall (NVA) - created a Any-to-Any Allow Network Rule in FW.