0

We have an Azure WebJob running on an App Service connected to a vNET via Point-to-Site connection.

That same vNET is then connected to the on-premise network via a Site-to-Site VPN connection.

Routing is set up so to the Site-to-Site conn so that that the IP range of the Azure vNET (172.27.0.0/24) is sent from OnPrem > Azure. This can be tested by logging in to a VM inside of the vNET to query on premise resources - this works fine, and as expected.

If the same request (to a REST API) is sent from the WebJob, things do not work.

The IP range of the Point-to-Site (172.27.1.144/28) does not intersect with that of the vNET, so i am wondering if we need to also route this range "back across" the Site-to-Site connection also?

Another alternative is that a routing table within Azure needs to have a manual entry, somehow?

Any tips on how to troubleshoot / get this working would be much appreciated.

m1nkeh
  • 1,337
  • 23
  • 45

1 Answers1

1

The IP range of the Point-to-Site (172.27.1.144/28) does not intersect with that of the vNET, so i am wondering if we need to also route this range "back across" the Site-to-Site connection also?

You need to do that, indeed. Not only that, you need to configure this network range (172.27.1.144/28) on your on-premises router too - so it recognises and accepts the traffic.

But in order to make the routing from the Point-to-Site (Azure app service) to the on-premise over the Site-to-Site VPN Connection, you will need to use a Virtual Appliance which is capable of forwarding the traffic.

For sake of simplicity and cost savings, you could just use Azure Hybrid Connections to connect Azure Web App / Web Job to on-premise Resource.

You can also refer to the documentation here, which lists the limitations of connecting App Service Plan to a Virtual Network, namely:

There are some things that VNET Integration does not support including:

  • mounting a drive
  • AD integration
  • NetBios
  • private site access

Please note the last one - private site access - this is your on-premises.

astaykov
  • 30,768
  • 3
  • 70
  • 86
  • hmm.. thanks for the information that is really helpful. Just one additional point, we also need to access resources held within AWS, which is also connected to the on prem network with another VPN, any complications at all with this that you can see? We are only responsible for the Azure infrastructure... – m1nkeh Apr 18 '17 at 10:42
  • yes. You have to do the Azure - AWS Routing within the on-premises with the help of routers capable of doing so. Or establish Site-to-Site VPN from Azure directly to AWS Site using Virtual Applicances. And of course, you have to make sure that you do not have overlapping IP ranges on neither of the Sites. Or use [Aviatrix](http://aviatrix.com/) to "connect the dots". – astaykov Apr 18 '17 at 23:24
  • great, thanks. the internal network is not our responsibility, but it's good to know. cheers! – m1nkeh Apr 19 '17 at 18:29