Site-2-Site VPN with whitelisted IPs

Seun Ore 80 Reputation points
2024-07-02T13:00:08.3533333+00:00

Dear azure team,

I setup S2S VPN from azure to an on-prem infrastructure. The status on azure portal says connected. The tunnels are up on both sides but I am unable to pass traffic through it. Pinging the private IP of the onprem systems is failing. nslookup is failing too.

I have a hub-spoke infrastructure with firewall setup on hub-vnet virtual network and other virtual networks are peered with hub-vnet. I setup diagnostic settings to allow me checkout traffic flow within the tunnels. How are there spsecific ways to know what is blocking traffics from azure to on-premisses infrastructure. For context, this traffic is not even hitting the on-premise side at all.

By the way, the connection is allow us send traffic from our AKS through the tunnel to the On-premise infrastructure. The AKS itself is deployed in multiple subnets with virtual network

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,559 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
681 questions
{count} votes

Accepted answer
  1. KapilAnanth-MSFT 47,046 Reputation points Microsoft Employee
    2024-07-03T04:24:17.9533333+00:00

    @Seun Ore ,

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    From your verbatim,

    • You have a Hub VNET with VPN Gateway connected to OnPrem
    • There is a Firewall deployed in the Hub VNET
    • Traffic from neither the Hub VNET nor the Spokes VNET is able to connect to the OnPrem servers.
    • However, there is a AKS service that was able to pass traffic to OnPrem.

    As next steps,

    • Can you confirm if the AKS is deployed in the HubVNET or one of the Spoke VNETs?
    • I see you have a Firewall in HubVNET
      • Did you configure UDRs in the subnets with OnPrem ----> FirewallPrivateIP
      • If so, can you check the Firewall logs to see if the traffic to OnPrem actually hits the Firewall or Not?
    • Create a new VM in the HubVNET in a new subnet (without any RouteTable)
      • Let's call it testVM
      • From this testVM, please try to access your OnPrem resources and let us know if that succeeds.

    Cheers,

    Kapil


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.