Connection issue between on-premises and Azure subnets via Site-2-Site VPN in Hub and Spoke Topology in Azure
For one of my projects I've built a test Hub & Spoke network in Azure (1 Hub VNet + 2 Spoke VNets (one subnet in each) - sample screen below.
Next, I've created Site-2-Site IPSec VPN between Azure and On-Premises (with one test subnet).
Next, I've created Point-2-Site VPN from internet to Azure. VNet's has been deployed by using Resource Manager deployment model.
The communication works well within the Azure VNets/Subnets (Hub Peerings are Transit Enabled)
The communication works well between Azure Hub VNet and On-Premises test subnet (in both directions).
But I've found an issue when I would like to connect:
- From On-Premises test subnet via S2S VPN to Azure Spoke Vnet's
- From Azure Spoke VNet's to On-Premises test subnet
- From P2S connected client (Azure) to On-Premises test subnet
As I checked in Azure VPN Client the connected user receives all Azure and On-Premise networks routes. All Azure VNet's (including P2S pool) has been added to the On-Premise VPN test device. In one of the Microsoft Docs related to the Azure VPN Gateway Transit I've found an info that the on-premise VPN device needs to have an "interesting traffic" option enabled to be able to communicated with the "peered networks"
"If you use a Virtual Network Gateway to send on-premises traffic transitively to a peered VNet, the peered VNet IP range for the on-premises VPN device must be set to 'interesting' traffic. Otherwise, your on-premises resources won't be able to communicate with resources in the peered VNet."
I've added the CIDR VNet's to my on-premise VPN device (within the IPSec VPN tunnel configuration) but see no option like "interesting traffic" on my on-premise VPN device. And the communication is not working both directions between peered VNet's to on-premise network.
Any ideas of how to solve that case ?
I've found the solution for my case.
On the on-premises VPN Gateway initially I had one Site-2-Site VPN Tunnel where all Azure VNet CIDR's (for Hub, Spoke's & P2S Client Pool) were added manually by me according to the device manual but -as I mentioned - only the on-premises <-> Azure Hub VNet communication worked well.
What I've found in another manual for my on-premises VPN Gateway is an option (checkbox) within the Site-2-Site IPSec VPN configuration to create a phase 2 (SA - security association) for each CIDR VNet address added. When marked it in fact creates a separate Site-2-Site VPN Tunnel from on-premises to Azure VPN Gateway for each specified Azure VNet. When selected the communication between the on-premises and Azure Spoke VNets started to work immediately.
On Cisco community forum when I red multiple VPN discussions I've found an extra tip as well:
"Phase 2 is where the interesting traffic will be communicated."
So, that would clarify a bit and add to the information stated in the Microsoft documentation about the "interesting traffic".
Additionally I've enabled the ping option to keep the IPSec tunnels alive - as from time to time I've observed some ping drops and some RDP connections disturbance due to that. That solved this extra issue.
Now all communication works well back and forth. Case closed.
- How to take max value and replace it in drived column in data factory
- Synapse/ ADF - How to Truncate table if dynamic config column is True in pre-copy script
- Azure Cost Management - track costs associated with Databricks job
- Error: "OrganizationFromTenantGuidNotFound" (even with Microsoft 365 subscription)
- How to check Debug.Writeline() output in VS code?
- C# API - Provide download of files from Azure Blobstorage
- localhost:300/api is not working : "This page isn’t working"
- Creating an Azure Linux VM with Ubuntu 20.04 with Terraform
- Failed to deploy path that does not exist
- Using Azure WAF for my server(not in Azure)
- How and where to define an environment variable on Azure
- Azure Data Factory - Unable to preview data
- Azure yaml trigger pipeline every 14 days on a Saturday
- Diagnostic setting not included in Azure Portal ARM template export
- How do I read the original pdf file in set indexer datasource in a custom WebApiSkill after enabling "Allow Skillset to read file data"
- How do I store vectors generated by AzureOpenAIEmbeddingSkill in indexer given my current setup
- Authenticating using the Azure CLI is only supported as a User (not a Service Principal)
- Azure Function App - frequent hang and deadlocks
- Sign Tool for Azure Trusted Service Account Error information: "Error: SignerSign() failed." (-2147467259/0x80004005)
- How to convert the premium file share to premium block blob storage account or standard general purpose v2 storage account?
- How to generate an azure blob url with SAS signature in nodejs sdk v12?
- How to Assign Role to New User with Graph API
- Directory disappears from azure cloud shell (home)
- Application Insights Logging Exceptions as Trace
- Issue with Azure key vault and Azure storage account deployment
- AddDataProtection().PersistKeysToAzureBlobStorage().ProtectKeysWithAzureKeyVault() getting httpVerb Error while accessing the blob storage
- temporary_name_for_rotation must be specified when changing any of the following properties: pod_subnet_id
- Native Node.js Metrics in Application Insights
- Azure Key Vault Disabled public access, how to access it through the portal via internet
- Using Google.Cloud.BigQuery.V2 API in Azure Functions