Search code examples
azurevpnazure-vpnvnet

Cannot ping from on-prem machine to an azure vnet

I cannot ping from an on-premises VM to a VM in Azure via the VPN gateway connection. The problem occurs only if the VM in Azure is in a VNET that is not the same with the VNET the VPN connection is established. However there is a peering connection between the Azure VNETs. Is this a feature or a miss-configuration from my side?

So here is the setup:

  • VNET0: VNET on prem in the space 192.168.90.0/24
  • VM0: VM on prem in the VNET0 (IP 192.168.90.4)
  • VNET1: VNET in Azure in the space 10.15.0.0/16
  • VNET2: VNET in Azure in the space 10.16.0.0/16
  • VNET peering in Azure between VNET1 and VNET2 allowing traffic forwarding
  • VPN gateway from on-prem VNET0 to Azure VNET1
  • VM1 in Azure connected in the VNET1 and in more details in the subnet 10.15.90.0/24 (IP 10.15.90.4)
  • VM2 in Azure connected in the VNET2 and in more details in the subnet 10.16.90.0/24 (IP 10.16.90.4)
  • Network security group in Azure allowing all traffic from anywhere to anywhere assigned in the VNET2 and in more detail in the subnet 10.16.90.0/24
  • The configuration on the on-premises firewall VPN tunnel has a rule allowing incoming and outgoing traffic in the on-premises firewall from both VNET1 and VNET2

Problem

  • Working scenario: can ping from the VM0 the VM1
  • Non-working scenario: cannot ping from VM0 the VM2

Any idea where the problem could be?

Solution

  • You need to set the Allow gateway transit option in the "Hub-RM" virtual network in a peering from Azure VNET1 to Azure VNET2 and enable the Use remote gateways in the "Spoke-RM" virtual network in a peering from Azure VNET2 to Azure VNET1. Do not select allow traffic forwarding.

    Note: If you have a P2S VPN connection, once you change the peering setting, you should redownload the VPN client from Azure VPN gateway portal and reinstall it on the on-premise machine to make the route update on your on-premise network.

    Get more details from configuring VPN gateway transit for virtual network peering

    Update

    After confirming with you, you actually want to do the s2s connection with Azure VPN gateway with VNet Peering following the article. I suggest that you have VNet peering configuring with gateway transit between VNet1 and VNet2. You have to make sure the on-premise VNet has the routing for VNet2 and VNet1. After you have a static route configured correctly in the Fortigate(on-premise firewall). This works.