1

I've setup a virtual network in Azure with a site-to-site VPN tunnel. So far so good, but the tunneled devices cannot access my servies via the public IP, they can only access via the local IP. Seems something prevents VPN devices to access the public IP of a VM connected to the same virtual network.

So say api.mydomain.com is mapped via DNS to the public IP of a VM. That works fine for all internet devices, but not the ones that goes though the site-to-site VPN tunnel. They can access fine via the local ip (192.168.x.x) though.

Any way I can open access/route the traffic coming in via the site-to-site VPN to the public IP address? The devices in question are GPRS devices and uses the DNS of the cell operator. So nothing much I can do there (like adding an entry to point to the local address).

enter image description here

Pål Andreassen
  • 155
  • 1
  • 8
  • Can they access it via public IP without DNS as a test? I ask because I can RDP into a VM via the public IP even though I have a site-to-site VPN established and normally access over the internal IP via DNS. I just tried it again and it works just fine. Maybe your issue is only a DNS one and not related to Azure or the tunnel? – TheCleaner Oct 10 '16 at 13:46
  • Are you able to confirm that traffic to the public IP is actually being routed over the VPN? I would expect it to go over the public internet and so be subject to the Network Security Group rules in Azure. – Sam Cogan Oct 10 '16 at 15:44
  • Could you please draw a network topo of your environment? I'm not very clear about your network. A tunneled device is a GPRS device? Normally, the device used for establishing S2S VPN is a hardware router or firewall. And all devices need to go through the VPN tunnel should connect to the private network behinds this router or firewall. An GPRS device is connected to the internet through the gateway of the mobile carrier, which means it can only connect to the VPN through point to site VPN. I hope you can post the network topo here and it is very useful for troubleshooting. – Steven Lee - MSFT Oct 11 '16 at 02:48
  • I've added a topology drawing. Your comments have led me to believe that perhaps the issue is not with Azure, but with the SIM providers routing. I don't have access to a SIM card myself (I'll have to ask for one) so I can't test, but my guess is that routing to "internet" is not allowed. So either we need an entry in their DNS to "revert" the traffic to the internal IP or we need a route to the public IP. – Pål Andreassen Oct 11 '16 at 06:15
  • I confirm myself you can connect to a VM on Azure using its public IP even if you have a S2S tunnel in place. Agree the problem is likely with the SIM provider. Could you perhaps implement split DNS? So, return an internal 192.168.x.x IP when the DNS server is queried by the GPRS device? – ItalyPaleAle Oct 14 '16 at 03:40
  • I asked about that, but apparently no. All SIM's get the same DNS servers. – Pål Andreassen Oct 20 '16 at 05:44
  • update: So after several hours of testing with the SIM provider they basically claim this is a routing problem in Azure. If the case then it's not much I can do since there is very little you can tweak on a s2s tunnel either via the web portal or powershell. This that can reach the public IP of a VM, you are sure the traffic goes through the s2s tunnel and back to the public IP of a VM in the same virtual network as the s2s tunnel is connected to? – Pål Andreassen Oct 20 '16 at 05:45
  • Can you post and ipconfig /all from both an azure machine and a local machine – Drifter104 Oct 20 '16 at 06:27
  • Think you need a dual DNS solution –  Oct 20 '16 at 10:47

2 Answers2

0

You can set up entries for your private IP addresses in /etc/hosts file, which will override DNS.

Tero Kilkanen
  • 36,796
  • 3
  • 41
  • 63
0

After raising a ticket with Microsoft Azure support, they came back stating the site-to-site VPN in Azure is for connecting two private networks. You cannot route traffic from one side, thought the tunnel and out on the internet at the other side. The Azure routing will not allow that.

So to get true end-to-end tunneling I have to implement a split DNS.

Pål Andreassen
  • 155
  • 1
  • 8