![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 10%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESE%3C/text%3E%3C/svg%3E)
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,635 questions
Hello @Sunilprasath Elangovan ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you are unable to connect Spoke VM using Private IP and Storage account & key vault with private endpoint from On-prem site-to-site VPN.
Below are the recommendations to resolve mentioned issues:
Unable to connect the VM in Spoke Vnet (subnet-1) from the VPN.
From your screenshot, I understand that hub and spoke Vnets are peered with "gateway transit" and "use remote gateway" options enabled, which will make sure that the spoke Vnet VM is able to reach the on-prem via the hub Vnet VPN gateway.
However, you need to make sure that the return traffic is also allowed. You can do this by adding a route for the spoke Vnet subnet-1 address range on your on-premises VPN device.
Also make sure that ICMP is allowed on the subnet-1 and subnet-1 VM in case NSGs are applied to the subnet/NIC. Additionally, make sure that the subnet-1 VM's OS firewall is allowing ICMP traffic and is not blocking it.
Unable to access the Storage account and Key vault with private endpoint deployed in Spoke_vnet (subnet-1) Both storage account and key vault networking is disable for public access.
For on-premises workloads to resolve the FQDN of a private endpoint, use a DNS forwarder to resolve the Azure service public DNS zone in Azure. A DNS forwarder is a Virtual Machine running on the Virtual Network linked to the Private DNS Zone that can proxy DNS queries coming from other Virtual Networks or from on-premises. This is required as the query must be originated from the Virtual Network to Azure DNS. A few options for DNS proxies are: Windows running DNS services, Linux running DNS services, Azure Firewall. Or you could use the new Azure service called Azure DNS Private Resolver that enables you to query Azure DNS private zones from an on-premises environment and vice versa without deploying VM based DNS servers.
If you check the table in Name resolution for resources in Azure virtual networks article, you can find the below:
For on-prem clients to be able to resolve Private Endpoint entries hosted on Azure Private DNS Zones, you must leverage Azure DNS Private Resolver or an existing DNS Server (Forwarder or Proxy) or deploy one IaaS VM using a DNS Server role.
https://learn.microsoft.com/en-us/azure/dns/dns-private-resolver-overview
https://learn.microsoft.com/en-us/azure/dns/private-resolver-hybrid-dns
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.