Unable to connect Spoke VM using Private IP and Storage account , key vault with private endpoint from On-prem VPN

Sunilprasath Elangovan 60 Reputation points
2023-02-26T07:34:30.2433333+00:00

Hi

Good morning.

We have deployed our Analytics layer by following Hub and Spoke architecture.

We created a site-to-site VPN connection between On-prem and the Hub Vnet using VPN Gateway.

Kindly refer the below image , about our setup.

User's image

Below connections are working fine.

  1. Able to connect the VM using its Private IP in hub_vnet from the VPN.
  2. Databricks in Spoke_vnet (subnet-2), can able to connect On-prem SQL databases and extract data.

But below connections not working ,

  1. Unable to connect the VM in Spoke Vnet (subnet-1) from the VPN.
  2. Unable to access the Storage account and Key vault with private endpoint deployed in Spoke_vnet (subnet-1) Both storage account and key vault networking is disable for public access

User's image

We dont have any UDR defined both in Hub and Spoke vnet , we are using the System and Gateway route.

Kindly advice what settings we are missing,. If you want more information do let me know.

Regards,

Sunil

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,380 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,142 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
462 questions
Accepted answer
  1. GitaraniSharma-MSFT 47,421 Reputation points Microsoft Employee
    2023-02-27T14:16:11.4566667+00:00

    Hello @Sunilprasath Elangovan ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you are unable to connect Spoke VM using Private IP and Storage account & key vault with private endpoint from On-prem site-to-site VPN.

    Below are the recommendations to resolve mentioned issues:

    Unable to connect the VM in Spoke Vnet (subnet-1) from the VPN.

    From your screenshot, I understand that hub and spoke Vnets are peered with "gateway transit" and "use remote gateway" options enabled, which will make sure that the spoke Vnet VM is able to reach the on-prem via the hub Vnet VPN gateway.

    Refer: https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli#spoke-connections-to-remote-networks-through-a-hub-gateway

    However, you need to make sure that the return traffic is also allowed. You can do this by adding a route for the spoke Vnet subnet-1 address range on your on-premises VPN device.

    Also make sure that ICMP is allowed on the subnet-1 and subnet-1 VM in case NSGs are applied to the subnet/NIC. Additionally, make sure that the subnet-1 VM's OS firewall is allowing ICMP traffic and is not blocking it.

    Unable to access the Storage account and Key vault with private endpoint deployed in Spoke_vnet (subnet-1) Both storage account and key vault networking is disable for public access.

    For on-premises workloads to resolve the FQDN of a private endpoint, use a DNS forwarder to resolve the Azure service public DNS zone in Azure. A DNS forwarder is a Virtual Machine running on the Virtual Network linked to the Private DNS Zone that can proxy DNS queries coming from other Virtual Networks or from on-premises. This is required as the query must be originated from the Virtual Network to Azure DNS. A few options for DNS proxies are: Windows running DNS services, Linux running DNS services, Azure Firewall. Or you could use the new Azure service called Azure DNS Private Resolver that enables you to query Azure DNS private zones from an on-premises environment and vice versa without deploying VM based DNS servers.

    Reference: https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#on-premises-workloads-using-a-dns-forwarder

    If you check the table in Name resolution for resources in Azure virtual networks article, you can find the below:

    https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances

    User's image

    For on-prem clients to be able to resolve Private Endpoint entries hosted on Azure Private DNS Zones, you must leverage Azure DNS Private Resolver or an existing DNS Server (Forwarder or Proxy) or deploy one IaaS VM using a DNS Server role.

    Refer: https://github.com/dmauser/PrivateLink/tree/master/DNS-Integration-Scenarios#4-on-premises-dns-integration

    https://learn.microsoft.com/en-us/azure/dns/dns-private-resolver-overview

    https://learn.microsoft.com/en-us/azure/dns/private-resolver-hybrid-dns

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest