Azure VNET Peering with File Storage and VPN Gateway

Greg Thomas 121 Reputation points
2022-11-30T21:17:54.293+00:00

Hi,

I have 2 VNETS - VNET-A and VNET-B.

VNET-A has our VMs in it and is peered to VNET-B which has a VPN Gateway tied to it for Azure VPN.

I can VPN fine into VNET-B but then accessing VMs via RDP is not allowed. I have configured by NSG to allow port 3389 from the IP of the VPN Gateway pool.

In addition, I have set up Azure File Storage which works fine for VNET-A, I have a private endpoint and have been granted access to that network. However for VPN, even though I have granted access to VNET-B, clients can never connect to the storage file shares?

Do I have to create another Private endpoint for those fileshares to the second VNET?

When my clients connect via VPN, I notice the IP assigned is from the VPN Address pool so they don't get a local subnet address, is this something I need to add into network configuration for the Fileshare?

Thank you.

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,170 questions
Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,393 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,179 questions
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alan Kinane 16,791 Reputation points MVP
    2022-11-30T21:39:03.587+00:00

    This is most likely a routing issue.

    The P2S configuration for your VPN client must contain the address space of both of your VNETs in order for routing to work. You also need to make sure that "Allow gateway transit" is enabled on your VNET-B peer and "Use remote gateways" is enabled on your VNET-A peer.

    Have a look at this diagram which explains this well. Also, make sure to download your P2S VPN client configuration from the portal again after making any changes, this needs to be re-imported to your devices.

    https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing#multipeered

    265892-image.png

    0 comments
  2. Greg Thomas 1 Reputation point
    2022-12-01T16:51:28.02+00:00

    Hi - thank you for this.

    On my VNETB - Gateway Transit is enabled, but on my VNETA, I cannot change this to use "remote gateways"?

    266301-image.png

    Also in Azure, VNET where would I program up these routes?

  3. Greg Thomas 121 Reputation points
    2022-12-02T18:38:23.05+00:00

    Hi Alan,

    Thank you for your help with all this. Here is the configuration I have right now.

    VNETB - is our internal VNET, VNETA - is our VNET setup just for Azure Client VPN.266628-image.png

    When VPNed in, we want people to then be able to access our storage file shares and VMs (all secured to VNETB

    Thanks Greg

  4. Greg Thomas 121 Reputation points
    2022-12-05T14:17:42.563+00:00

    Hi Alan - both VNETS have a VPN gateway applied to them.

    The VNET B has an external VPN applied to it while VNET A has a VPN back to their internal network (point to site VPN with Azure Auth) with gateway2AZ SKU.

    On VNET A, they have a site-to-site VPN setup (from cloud to on-premise) that is a Gateway1 SKU.

    Are we able to put both The P2S and the S2S VPNs on the one VPN Gateway or will that cause conflicts in connections? They had wanted to keep them separate.