Azure P2S connection does not let me see devices on the on-prem address range, even though they are listed as additional advertised routes?

Question

I have an issue where I am trying to setup a P2S connection that not only lets me access the Azure cloud environment, but also ping and see devices that are on my local on-prem environment.

There is a site-to-site VPN setup which allows Azure to see the on-prem environment, so I can see devices and access SMB shares when on the Azure virtual machines, however when I connect to my P2S connection on my laptop at home, I can ping the Azure VMs but not anything in the office on-prem.

My site-to-site VPN config has the remote address range (On-prem) setup as 10.xx.xx.x/22, which is connected and working. In the P2S configuration I have setup the additional routes to advertise, which is 10.xx.xx.x/22 (On-prem environment IP range), however when connected to the P2S VPN on my laptop, the on-prem devices are not visible.

Am I correct in understanding that if I have a site-site VPN setup on my virtual network that goes to my local network, that the P2S connection will see this and passthrough any additional routes if I specify it?

I can confirm that these devices on the local network are visible and can respond to ping.

Help is massively appreciated, anymore info please let me know! :)

Answer 1

Hello @Jack Salsbury ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you have an existing site to site VPN connection from your on-premises to Azure and you added a point to site VPN configuration on it and are able to access the Azure VMs from the VPN client but are unable to connect to your on-premises resources.

In order for you to be able to access your on-prem network (which is connected to Azure VPN by site to site connection) from your Point to site VPN client, your Site-to-Site VPN connection should be running BGP.
Refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing#vnetbranchbgp

Without BGP, your Point to Site clients won't be able to access your S2S connected on-prem resources.
Refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing#vnetbranch

If your site to site connection between Azure and On-prem uses BGP, then you can just manually add the routes for your on-prem network to the Windows P2S client and will be able to access the on-prem network from your point to site connection/client. For non-windows clients, you do not need to add the manual routes as BGP is enough for the routes to be propagated.

To manually add the On-prem network route, you can browse to %AppData%\Microsoft\Network\Connections\Cm*yourGuid*\routes.txt (C:\Users\userID\AppData\Roaming\Microsoft\Network\Connections\Cm*VPNGuid*\routes.txt) in your client machine and add the route in this text file.

Kindly let us know if the above helps or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.