3

I set up a VPN gateway in Azure, and configured a P2S connection that connects an on-prem server to the gateway. The Azure P2S configuration asks for an IP pool to assign to the endpoints when they connect, it's set to 172.16.17.0/24.

When the on-prem server successfully connects, it's assigned an IP 172.16.17.2 as expected. It can reach my private subnets on the Azure side normally across the VPN.

However, the on-prem server has its own private IP, 192.168.2.110. From the Azure side, the VMs connected to the VPN gateway can only reach the on-prem server via 172.16.17.2. I need them to be able to reach 192.168.2.110 as well.

I took a look at the effective routing table in Azure. They auto added 172.16.17.0/24 to be routed via the VPN of course. But they have other private IP blocks that are not part of my Vnet address space/subnets set to Drop, including 192.168.0.0/16.

I can't seem to figure out how to add a custom route to my vNic that routes 192.168.2.110 through the same VPN gateway so my VMs can access the on-prem server via this IP.

I tried creating a Routing Table instance, and it allows me to add a route for 192.168.2.110/32, under the "Next Hop Type" I can choose Virtual Network Gateway, but it won't let me specify the IP address of the gateway, and the rule does not seem to work. The auto-added route for 172.16.17.0/24 does have Virtual Network Gateway as hope type and it has the gateway's IP.

Your advice would be greatly appreciated.

thankyoussd
  • 31

3 Answers3

3

The short answer is adding your network route to VPN route config file manually will make it work: %AppData%\Microsoft\Network\Connections\Cm\yourGuid\routes.txt.

Here you can find details about Azure P2S routing: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing

Hope it helps.

Diego Souza
  • 141
0

There is a better way to add the route to vpn client now.

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes

Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw -CustomRoute $onprem-network

jack.chen.job
  • 223
0

A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer. What you are describing requires a Site-to-Site VPN to allow resources in Azure to communicate back to your local network.

A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it.

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal

Ken W - Zero Networks
  • 679
  • 3
  • 8