Hi everyone,
I’m trying to figure out the best way to set up connectivity to an Azure Virtual Machine (or the NIC resource) via an existing Azure P2S VPN that I’ve created. I’ve set up P2S connectivity to other resource types, such as storage accounts, but for some reason, it’s not proving to be very intuitive to set up connectivity to the VM. It’s such an Azure VM that is basically hosting a website.
If anyone has any pointers, or could point me in the right direction in terms of docs that talk about the process, that would be great. Oddly haven’t been able to find a whole lot on this.
Thanks in advance, everyone!
Without more detail it’s difficult to point to what may be the problem. There are a number of different technologies involved, so pointing to relevant documentation depends on what the problem is.
In general when you connect a P2S VPN, the vpn gateway allocates an ip address in a defined client subnet to the client. In order for the client to be able to connect to a resource using the private ip address there must be
- Connectivity between the resource and the client vpn ip (I.e., peering etc)
- Relevant routes must be present in the route tables in each vnet.
- Any FW / nsg must allow the traffic.
Additionally, the vpn configuration on the client needs to be considered. If the vpn tunnel configuration includes split tunnelling, any subnets that need to be sent via the tunnel have to be defined in client vpn configuration. You also have to consider dns configuration to make sure any requests for private resources in azure are resolved before any public dns is queried.
I’m not sure what precisely you are using the p2s vpn for, but if it’s purely for rdp to manage the VMs, you should consider whether azure bastion could replace the p2s vpn, as it’s both easier to setup / manage, and more secure.
Good points, thank you for the response also! And to provide more detail:
-
There is a single virtual network in the subscription that basically houses all resources, except for the virtual network gateway.
-
The VPN tunnel allows split tunneling, but is primarily used to grant users access to some file shares (via a private endpoint).
So I should check whether there are routes between the virtual network gateway and the virtual network where the VMs are located? And also make sure that NSGs are allowing the traffic?
Ah, and… I need to define the routes in the VPN configuration? Would I have to push that configuration to each client once more, or can those configurations be made on the virtual network gateway without having to mess with connected clients?
Thanks for your help with all this!
Do you have a FW in the vnet? Do you have any UDRs defined? If not, I would think routing should just work by default, but been a while since I did this myself. You should still validate that the NSGs are configured to permit the relevant ports
As for the split tunneling, simplest is to use tracert on the client to verify that the client is tunneling the traffic. Assuming it is, then the issue is either the routing from the vpn gateway client ip range, or an NSG denying the traffic.