3

I set up a VPN gateway in Azure, and configured a P2S connection that connects an on-prem server to the gateway. The Azure P2S configuration asks for an IP pool to assign to the endpoints when they connect, it's set to 172.16.17.0/24.

When the on-prem server successfully connects, it's assigned an IP 172.16.17.2 as expected. It can reach my private subnets on the Azure side normally across the VPN.

However, the on-prem server has its own private IP, 192.168.2.110. From the Azure side, the VMs connected to the VPN gateway can only reach the on-prem server via 172.16.17.2. I need them to be able to reach 192.168.2.110 as well.

I took a look at the effective routing table in Azure. They auto added 172.16.17.0/24 to be routed via the VPN of course. But they have other private IP blocks that are not part of my Vnet address space/subnets set to Drop, including 192.168.0.0/16.

I can't seem to figure out how to add a custom route to my vNic that routes 192.168.2.110 through the same VPN gateway so my VMs can access the on-prem server via this IP.

I tried creating a Routing Table instance, and it allows me to add a route for 192.168.2.110/32, under the "Next Hop Type" I can choose Virtual Network Gateway, but it won't let me specify the IP address of the gateway, and the rule does not seem to work. The auto-added route for 172.16.17.0/24 does have Virtual Network Gateway as hope type and it has the gateway's IP.

Your advice would be greatly appreciated.

thankyoussd
  • 31
  • 1
  • 1
  • 2

3 Answers3

3

The short answer is adding your network route to VPN route config file manually will make it work: %AppData%\Microsoft\Network\Connections\Cm\yourGuid\routes.txt.

Here you can find details about Azure P2S routing: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing

Hope it helps.

Diego Souza
  • 121
  • 1
  • 4
0

There is a better way to add the route to vpn client now.

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes

Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw -CustomRoute $onprem-network

jack.chen.job
  • 123
  • 2
  • 6
0

A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer. What you are describing requires a Site-to-Site VPN to allow resources in Azure to communicate back to your local network.

A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it.

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal

Ken W - Zero Networks
  • 679
  • 3
  • 8
  • 1
    Thanks. I know S2S VPN would have worked for this. In this case it is not possible to use a S2S tunnel due to lack of access to the router. What I need is not for Azure VMs to access a whole on-prem subnet. That would obviously require S2S. I only need them to be able to access the particular end point (by its internal private IP) that has already connected to the gateway. The problem of using the Azure gateway assigned IP is that there is no option to make it static. Is there any workaround solution for this on the Azure side? – thankyoussd Feb 20 '19 at 16:34
  • Have you configured DNS on the Azure VNet? https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-troubleshoot-vpn-point-to-site-connection-problems#point-to-site-vpn-client-cannot-resolve-the-fqdn-of-the-resources-in-the-local-domain – Ken W - Zero Networks Feb 20 '19 at 17:46