Reputation: 1
Azure VNET to VNET to site to site VPN connectivity
Scenario.
We have a site 2 site VPN from ON PREM to Azure VNET (with a vnet gateway) in a specific rg. lets call the VNET with the VPN connection for: vnet-vpn
Then we have a VNET in another Resourcegroup in Azure (Same subscription as vnet-vpn) lets call it vnet-a
I need services in vnet-a to be able to call on prem systems by proxying thru the vnet-vpn and that way gaining access to the on-prem network.
I can:
- create a connection between the 2 vnets in Azure (vnet-vpn, vnet-a) by using peering.Tested by letting services from each vnet communicate directly.
- call on prem services from applications placed in the vnet-vpn.
I CANNOT:
- access on-prem systems from vnet-a.
I cannot find any documentation that explicitly describes this scenario and and to set it up. Can someone please help :-)
Upvotes: 0
Views: 784
Answers (3)
Reputation: 641
Possible is too late, however if anyone came across this post with the same issue, this is a solution:
Scenario:
OnPrem<----S2S----->Az Vnet-A
You want direct access from OnPrem Site to another Azure VNET, let's call it Vnet-B using the existing setup between OnPrem an Vnet-A.
Solution:
- Create a vnet peering between the 2 VNETs, make sure that the gateway transit is enabled on Vnet-A side (the VNET that has the Gateway VPN configuration) --> you can use the article shared in the comments above
- the peering will ensure connectivity between Vnet-A and Vnet-B, however just doing this step will not allow connectivity from OnPrem to Vnet-B
- to have direct access from OnPrem to Vnet-B you also have to create UDR on both VNETs
- create a RouteTable-A and connect it to a Vnet-A subnet, create a route, this route will say: when the traffic leaves this subnet it will be redirect to Address Prefix [a subnet in Vnet-B], and the NextHop is None (dropped by default)
- create a RouteTable-B, connect it to a subnet in Vnet-B, create a route, this route will say: when the traffic leaves this subnet it will be redirect to the Address Prefix of the Vnet-A Gateway Subnet and the NextHop is Virtual Network Gateway
And that's all by creating a peering with Gateway Transit enabled on the Vnet that is connected the the Azure Gateway VPN, and creating the Routes with the settings I mentioned earlier you will have direct access from OnPrem to Vnet-B also.
Regards
Upvotes: 0
Reputation: 1089
More info on current config could be used to answer this, but here are a couple of ideas:
- Make sure Gateway Transit is enabled inside the peering configuration between
vnet-vpnandvnet-a - Make sure that
vnet-aIP range is included in your Azure VPN and also OnPrem VPN configuration- Alternatively, NAT your
vnet-aaddresses into some range which is acceptable for your OnPrem VPN. Please be aware thatNAT rulesfeature is only Preview on Azure Virtual Network Gateway. You either have to take the risk of using a preview feature (fine for non-production workloads), or implement your own NAT appliance.
- Alternatively, NAT your
Upvotes: 0
Reputation: 541
You can refer to this tutorial here which resembles the scenario you are trying out. You need to enable gateway transit on your peered VNET in order to establish connectivity with your on-prem systems.
Upvotes: 0
Related Questions
- azure site-to-site-vpn does not let traffic through
- Is it possible to connect two Azure VNets using site-to-site (VPN) connection?
- Azure Site to Site vpn
- Azure Vnet-to-Site Your VPN connectivity is impacted because the S2S VPN tunnels are disconnected
- Azure Point-to-Site VPN - cannot connect to virtual machines in peered VNets
- Routing traffic from the point to site to vnet to vnet vpn gateway
- Connectivity between two site to site VPN connections connected to Azure VPN gateway
- Azure gateway with a virtual network
- Azure Point-to-site VPN routing
- Connecting an Azure virtual network to an external VPN gateway