Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,435 questions
Site-2-Site VPN with whitelisted IPs
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 21%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESO%3C/text%3E%3C/svg%3E)
Seun Ore
40
Reputation points
Dear azure team,
I setup S2S VPN from azure to an on-prem infrastructure. The status on azure portal says connected. The tunnels are up on both sides but I am unable to pass traffic through it. Pinging the private IP of the onprem systems is failing. nslookup is failing too.
I have a hub-spoke infrastructure with firewall setup on hub-vnet virtual network and other virtual networks are peered with hub-vnet. I setup diagnostic settings to allow me checkout traffic flow within the tunnels. How are there spsecific ways to know what is blocking traffics from azure to on-premisses infrastructure. For context, this traffic is not even hitting the on-premise side at all.
By the way, the connection is allow us send traffic from our AKS through the tunnel to the On-premise infrastructure. The AKS itself is deployed in multiple subnets with virtual network
{count} votes
-
KapilAnanth-MSFT 39,446 Reputation points Microsoft Employee2024-07-03T04:24:17.9533333+00:00 Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
From your verbatim,
- You have a Hub VNET with VPN Gateway connected to OnPrem
- There is a Firewall deployed in the Hub VNET
- Traffic from neither the Hub VNET nor the Spokes VNET is able to connect to the OnPrem servers.
- However, there is a AKS service that was able to pass traffic to OnPrem.
As next steps,
- Can you confirm if the AKS is deployed in the HubVNET or one of the Spoke VNETs?
- I see you have a Firewall in HubVNET
- Did you configure UDRs in the subnets with OnPrem ----> FirewallPrivateIP
- If so, can you check the Firewall logs to see if the traffic to OnPrem actually hits the Firewall or Not?
- Create a new VM in the HubVNET in a new subnet (without any RouteTable)
- Let's call it testVM
- From this testVM, please try to access your OnPrem resources and let us know if that succeeds.
Cheers,
Kapil
-
Seun Ore 40 Reputation points
2024-07-03T08:55:57.42+00:00 Thank you for response!
Can you confirm if the AKS is deployed in the HubVNET or one of the Spoke VNETs? Spoke VNETs
Did you configure UDRs in the subnets with OnPrem ----> FirewallPrivateIP.This was done on onprem side. I have little visibility into the onprem side. But the tunnels were not up until we aligned on the UDR on both sides. However, on my side UDR that I setup on spoke vnet points to VPNGateway not the FirewallPrivateIP. (wrong?)Also VM setup in the hubvnet is unable to reach onprem server via pinging/nslookup
-
KapilAnanth-MSFT 39,446 Reputation points Microsoft Employee
2024-07-04T14:28:56.5+00:00 For a Spoke Virtual Network,
- There is no need to use a Route Table in case you want to route traffic "directly" to the OnPrem Azure VPN Gateway
- All you have to do is enable Gateway transit.
- See : Configure VPN gateway transit for virtual network peering
- Can you confirm if gateway transit is enabled in the SpokeVNET?
- Without any RouteTables, if the VMinHub is unable to ping/reach the OnPrem servers indicate there could be firewall in OnPrem blocking this traffic.
- Can you confirm there was no route table in the subnet of the VMinHub
- If yes, from the VMinHub,
- Check NIC Effective Routes and let me know what is the nextHop for the OnPrem range?
- Check IP flow verify
- Virtual Machine : VMinHub
- NIC : <DEFAULT>
- Protocol : TCP
- Direction : OutBound
- Local IP : <DEFAULT>
- Local Port : 1234
- Remote IP : <ONPremServerIP>
- Remote Port : <ONPremServerPort>
- And share the results.
- You can get the same results using NSG diagnostics as well
P.S : If you want traffic to go via Azure Firewall before reaching the VPN Gateway and then OnPrem, the nextHop should be Firewall IP
Sign in to comment