![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 30%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENB%3C/text%3E%3C/svg%3E)
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,797 questions
Hello @Naveenbalaji B ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you've configured a hub and spoke architecture in Azure where Hub and Spoke Vnets are peered (with Allowed Gateway Transits and Remote gateway server). In Hub you have an Azure firewall and you have added Route table to the subnets (with Propagate gateway routes: NO) to route traffic via Azure firewall. You've a Point-to-site VPN connection and when trying to connect to a VM in the Spoke Vnet, you couldn't SSH or ping that VM, but after enabling the Propagate gateway routes, you were able to connect it successfully.
As mentioned in the Azure routing documentation,
ER and VPN Gateway route propagation can be disabled on a subnet using a property on a route table. When you disable route propagation, the system doesn't add routes to the route table of all subnets with Virtual network gateway routes. This process applies to both static routes and BGP routes. Connectivity with VPN connections is achieved using custom routes with a next hop type of Virtual network gateway. Route propagation shouldn't be disabled on the GatewaySubnet. The gateway will not function with this setting disabled.
Propagate gateway routes: If you plan to associate the route table to a subnet in a virtual network that's connected to your on-premises network through a VPN gateway, and you don't want to propagate your on-premises routes to the network interfaces in the subnet, set Virtual network gateway route propagation to Disabled.
Refer: https://learn.microsoft.com/en-us/azure/virtual-network/manage-route-table#create-a-route-table
When you set Propagate gateway routes to NO and associate the route table to the spoke subnets, the VMs in those subnets do not get the Virtual network gateway routes and hence you are unable to connect to those VMs from your point to site VPN connection.
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.