Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,283 questions
How the different region Vnet deployed W365 Cloud PCs ping with each other?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 39%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKK%3C/text%3E%3C/svg%3E)
Khushboo Kumari
92
Reputation points
Hi,
I want to know the reason, why the both CPC is not pingable with each other? and what changes need to be made to ping with each other? Scenarios is as attached image. On-perm is on India and Vnet 1 is in Southeast Asia and Vnet 2 is in East US? cloud PC1 is assigned to subnet in VNet 1 and cloud PC2 is assigned to subnet in VNet 2. But , when i do test , i can't ping VM2 from VM1 and vice versa
Azure VPN Gateway
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
1,984 questions
Windows 365 Enterprise
Windows 365 Enterprise
A Microsoft cloud operating system.
296 questions
Windows 365 Business
Windows 365 Business
A Microsoft cloud operating system.
385 questions
Windows Network
Windows Network
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.Network: A group of devices that communicate either wirelessly or via a physical connection.
584 questions
{count} votes
-
GitaraniSharma-MSFT 44,876 Reputation points Microsoft Employee2023-08-08T05:23:42.3233333+00:00 Hello @Khushboo Kumari ,
How are you trying to ping VM2 from VM1?
Is it using private IPs? If yes, then are Vnet1 and Vnet2 connected?
Vnet1 and Vnet2 connected to on-prem cannot talk to each other privately without using BGP or some type of direct connectivity such as Vnet peering.
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-bgp-overview#transitrouting
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview
If you want Vnet1 to talk to Vnet2 privately, then you should either connect them directly via Vnet peering or enable BGP on both of your S2S VPN connections to support transit routing.
Regards,
Gita
-
Khushboo Kumari 92 Reputation points
2023-08-08T08:35:35.6066667+00:00 Hi @GitaraniSharma-MSFT ,
Thanks for the information! Can we please let me know the exact reason why, they are not pinging with each other because both the cpc are connected in a same network.
-
GitaraniSharma-MSFT 44,876 Reputation points Microsoft Employee
2023-08-08T14:08:06.14+00:00 @Khushboo Kumari , by default, a virtual network cannot talk to another virtual network. It needs some type of connectivity to be established for them to talk to each other. Once this connectivity is established, the VMs and other resources within those Virtual networks can also talk to each other or ping each other.
To connect 2 virtual networks, you can use the below options:
- Vnet-to-Vnet connection.
- Site-to-site connection.
- Vnet peering.
Now, even though both the Vnets are connected to the on-premises via S2S VPN, they do not have direct line of sight to talk to each other.
Both the Vnets can only talk to the on-premises which they are connected to.
So, you need to connect both the Vnets directly using one of the above options.
Another suggestion that I have here is:
- Remove the S2S between on-prem and Vnet2.
- Peer Vnet1 and Vnet2 with gateway transit option.
- Add a route to Vnet2 address range in your on-premises VPN device.
This way, you will only use 1 VPN gateway and will be able to ping all resources from Vnet2 to Vnet1 & on-premises and vice-versa.
Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit
Regards,
Gita
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Limitless Technology 43,776 Reputation points2023-08-08T14:30:04.29+00:00 Hello
Thank you for your question and reaching out.
Since both of your VMs are on the same VNET and subnet, I would not anticipate any Azure infrastructure to be obstructing traffic unless you have added a Network Security Group (NSG) with a rule specifically prohibiting pings into VM2.
In order to find out if there is anything on the Windows (or Linux) firewall on VM2 preventing incoming ICMP traffic, I would first check the operating system firewall.
Have DNS servers been set up on your VNet? If not, why are the server names not pinging? You can either provide the IP addresses of specific custom servers or use the native Azure service. These computers are they listed in that DNS?
--If the reply is helpful, please Upvote and Accept as answer--
-
Khushboo Kumari 92 Reputation points
2023-08-09T11:32:47.8633333+00:00 Hi @GitaraniSharma-MSFT , Can you please tell me the differences between the vnet peering and the vnet-to-vnet connection? In which scenarios do we have to go vnet peering and vnet to vnet connection? and one more question in your first response provided the BGP option as well. So how can we use that in this scenario, and if we are configuring BGP, do we still need VNET peering? Let's suppose we have multiple vnets. In that case, how will BGP work? suppose there is no gateway transit.
Thanks!
-
GitaraniSharma-MSFT 44,876 Reputation points Microsoft Employee
2023-08-09T12:01:11.1166667+00:00 Differences between the vnet peering and the vnet-to-vnet connection?
Vnet-to-Vnet connection uses VPN gateways on both side Vnets.
Vnet peering doesn't use VPN gateways for Vnet-to-Vnet connectivity. But can be configured as a transit point to an on-premises network using the VPN gateway on one of the Vnets.
In which scenarios do we have to go vnet peering and vnet to vnet connection?
You may want to connect virtual networks by using a VNet-to-VNet connection for the following reasons:
Cross region geo-redundancy and geo-presence
- You can set up your own geo-replication or synchronization with secure connectivity without going over internet-facing endpoints.
- With Azure Traffic Manager and Azure Load Balancer, you can set up highly available workload with geo-redundancy across multiple Azure regions. For example, you can set up SQL Server Always On availability groups across multiple Azure regions.
You may want to connect virtual networks by using Vnet peering for following reasons:
- You don't want to use VPN gateways.
- You want a low-latency, high-bandwidth connection between resources in different virtual networks with the ability to transfer data between virtual networks across Azure subscriptions, Azure Active Directory tenants, deployment models, and Azure regions.
One more question - in your first response provided the BGP option as well. So how can we use that in this scenario, and if we are configuring BGP, do we still need VNET peering? Let's suppose we have multiple Vnets. In that case, how will BGP work? Suppose there is no gateway transit.
If you want to use BGP, you need to configure BGP on both Azure and on-premises sides. You don't need Vnet peering. When you enable BGP on all the connections, all connected parties can talk to each other.
Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/bgp-howto#getting-started
If you have multiple Vnets, it depends how you are configuring them with your existing setup. You could configure Vnet-to-Vnet connections between all the Vnets and enable BGP on all connections to create a full mesh topology as shown in the below doc:
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-bgp-overview#transitrouting
But this topology will be expensive as it will require a VPN gateway in each Vnet.
So, the best option is to go with a single S2S VPN connection with a hub Vnet and connect all other Vnets to the hub Vnet using the transit gateway option in a hub and spoke topology. That will be more cost effective and easy to manage.
Regards,
Gita
-
Khushboo Kumari 92 Reputation points
2023-08-09T14:11:43.71+00:00 Hi @GitaraniSharma-MSFT ,
I want to know more about your this statement
"If you want to use BGP, you need to configure BGP on both Azure and on-premises sides. You don't need Vnet peering. When you enable BGP on all the connections, all connected parties can talk to each other.""
means as shown in the attachment(a), or if we have more than two VNet, no need to create or establish any peering or VNet- to-VNet connection from VNet to VNet or vice versa, if we are enable BGP?
-
GitaraniSharma-MSFT 44,876 Reputation points Microsoft Employee
2023-08-10T12:42:46.33+00:00 Hello @Khushboo Kumari ,
The above setup will work with BGP enabled on both S2S connections (both on Azure and On-prem sides) as long as your on-premises advertises the routes from Vnet1 to Vnet2 and vice-versa.
If not, then you should connect Vnet1 and Vnet2 with a Vnet-to-Vnet or S2S connection and enabled BGP on that connection as well.
If you've more than 2 Vnets, then all of them should be connected with each other via BGP enabled Vnet-to-Vnet connections (if gateway transit is not an option) to make a full mesh topology as shown in the below doc:
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-bgp-overview#transitrouting
The above setup can be expanded to add as many Vnets as you want.
Regards,
Gita
-
GitaraniSharma-MSFT 44,876 Reputation points Microsoft Employee
2023-08-14T09:06:11.13+00:00 @Khushboo Kumari , Could you please provide an update on this post?
-
Khushboo Kumari 92 Reputation points
2023-08-17T04:22:15.1833333+00:00 Hi @GitaraniSharma-MSFT ,
If I do vnet-to-vnet connection without BGP enabled, is it work? and What is the role of BGP ?
-
GitaraniSharma-MSFT 44,876 Reputation points Microsoft Employee
2023-08-22T14:04:31.06+00:00 Hello @Khushboo Kumari ,
Apologies for the delay in response.
- Vnet-to-Vnet connection without BGP enabled will work but only for the directly connected Vnets.
For example:
Vnet1 <--V2V without BGP--> Vnet2<--V2V without BGP--> Vnet3
In this case, Vnet1 can only access Vnet2. And Vnet3 can only access Vnet2.
Vnet2 can access both Vnet 1 and Vnet3 as they are both connected directly.
But Vnet1 cannot access Vnet3. And Vnet3 cannot access Vnet1.
- With BGP, all directly and indirectly connected Vnets are accessible.
For example:
Vnet1 <--V2V with BGP--> Vnet2<--V2V with BGP--> Vnet3
Vnet2 can access both Vnet 1 and Vnet3.
Vnet1 can also access both Vnet2 and Vnet3.
Vnet3 can also access both Vnet2 and Vnet1.
Regards,
Gita
-
Khushboo Kumari 92 Reputation points
2023-08-28T04:56:15.89+00:00 @GitaraniSharma-MSFT , Thanks for the information. Can you please tell me whether I need to enable BGP while creating virtual private network gateway in on-premises or do I need to enable it only during VNET to VNET connection? And if we enable BGP in VNET-to-VNET connection, what configuration needs to be done on-premises?
-
GitaraniSharma-MSFT 44,876 Reputation points Microsoft Employee
2023-08-28T11:58:14.73+00:00 Hello @Khushboo Kumari , if you need connectivity between all directly and indirectly connected Vnets/on-premises, then you need to enable BGP on all the involved gateways, connections and devices.
As I mentioned in my previous comment:
To enable BGP, you need to configure BGP on the VPN gateways, S2S connections, and VNet-to-VNet connections. Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/bgp-howto#getting-started
You also need to configure BGP on your on-premises VPN device. Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/bgp-howto#on-premises-device-configuration
The on-premises VPN device configuration will differ depending on which VPN device you are using.
Azure has validated a set of standard VPN devices. You can find the list of validated VPN devices along with their configuration guides in the below doc:
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices#devicetable
Regards,
Gita
Sign in to comment