I am unable to access Internet when connect to Azure VPN(Vnet gateway VPN)

Question

I am unable to access Internet when connect to Azure VPN(Vnet gateway VPN)

Pawaskar, Riyanka Digambar 0

I am unable to access Internet when connect to Azure VPN Gateway

GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-12-08T06:33:24.3733333+00:00

Hello @Pawaskar, Riyanka Digambar ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

Could you please provide more details regarding your setup?

Are you referring Site-to-Site VPN or Point-to-Site VPN?

And from where you are unable to access Internet? Is it from an Azure VM or On-premises machine or your local machine?

If you are using point-to-site VPN with forced tunneling, then Internet connectivity is not provided through the VPN gateway. As a result, all traffic bound for the Internet is dropped.

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes#forced-tunneling

Regards,

Gita
Pawaskar, Riyanka Digambar 0 Reputation points

2023-12-08T06:38:21.0066667+00:00

Its a Point to Site Connection. I need to access a Storage account which is allowed access only from specific subnets hence i have connected to a Azure VPN but when i connect to a VPN i cannot access internet to connect to the storage account using storage explorer.
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-12-08T07:06:31.2+00:00

@Pawaskar, Riyanka Digambar , do you have forced tunneling configured on your point to site VPN? Are you advertising 0.0.0.0/1 and 128.0.0.0/1 as custom routes to P2S VPN clients?

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes#forced-tunneling

And is it only the storage explorer that is not accessible or are you not able to access any sites on Internet in general?

Regards,

Gita
Pawaskar, Riyanka Digambar 0 Reputation points

2023-12-08T07:10:46.3266667+00:00

I am not able to access any sites.

Yes i have configured Forced tunnelling as mentioned in the document advertising 0.0.0.0/1 and 128.0.0.0/1 as custom routes to P2S VPN clients.
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-12-08T08:53:42.7533333+00:00

Thank you for the update, @Pawaskar, Riyanka Digambar .

This is by design.

Like I mentioned above Internet connectivity is not provided through the VPN gateway. As a result, all traffic bound for the Internet is dropped when you configure forced tunnelling on Azure P2S VPN.

I've added an answer below with additional details and configuration changes that you need to do to make it work.

Kindly let us know if the below helps or you need further assistance on this issue.

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-12-11T09:47:55.47+00:00

@Pawaskar, Riyanka Digambar , Just checking in to see if you had a chance to see the below answer. To help the community find the right answers, please do mark the post which was helpful by clicking on Accept Answer.

And, if you have any further questions do let us know.
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-12-14T12:20:58.06+00:00

@Pawaskar, Riyanka Digambar , Just checking in to see if you had a chance to see the below answer. To help the community find the right answers, please do mark the post which was helpful by clicking on Accept Answer.

And, if you have any further questions do let us know.

2 answers

Your answer

GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-12-08T06:33:24.3733333+00:00

Hello @Pawaskar, Riyanka Digambar ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

Could you please provide more details regarding your setup?

Are you referring Site-to-Site VPN or Point-to-Site VPN?

And from where you are unable to access Internet? Is it from an Azure VM or On-premises machine or your local machine?

If you are using point-to-site VPN with forced tunneling, then Internet connectivity is not provided through the VPN gateway. As a result, all traffic bound for the Internet is dropped.

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes#forced-tunneling

Regards,

Gita
Pawaskar, Riyanka Digambar 0 Reputation points

2023-12-08T06:38:21.0066667+00:00

Its a Point to Site Connection. I need to access a Storage account which is allowed access only from specific subnets hence i have connected to a Azure VPN but when i connect to a VPN i cannot access internet to connect to the storage account using storage explorer.
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-12-08T07:06:31.2+00:00

@Pawaskar, Riyanka Digambar , do you have forced tunneling configured on your point to site VPN? Are you advertising 0.0.0.0/1 and 128.0.0.0/1 as custom routes to P2S VPN clients?

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes#forced-tunneling

And is it only the storage explorer that is not accessible or are you not able to access any sites on Internet in general?

Regards,

Gita
Pawaskar, Riyanka Digambar 0 Reputation points

2023-12-08T07:10:46.3266667+00:00

I am not able to access any sites.

Yes i have configured Forced tunnelling as mentioned in the document advertising 0.0.0.0/1 and 128.0.0.0/1 as custom routes to P2S VPN clients.
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-12-08T08:53:42.7533333+00:00

Thank you for the update, @Pawaskar, Riyanka Digambar .

This is by design.

Like I mentioned above Internet connectivity is not provided through the VPN gateway. As a result, all traffic bound for the Internet is dropped when you configure forced tunnelling on Azure P2S VPN.

I've added an answer below with additional details and configuration changes that you need to do to make it work.

Kindly let us know if the below helps or you need further assistance on this issue.

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-12-11T09:47:55.47+00:00

@Pawaskar, Riyanka Digambar , Just checking in to see if you had a chance to see the below answer. To help the community find the right answers, please do mark the post which was helpful by clicking on Accept Answer.

And, if you have any further questions do let us know.
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-12-14T12:20:58.06+00:00

@Pawaskar, Riyanka Digambar , Just checking in to see if you had a chance to see the below answer. To help the community find the right answers, please do mark the post which was helpful by clicking on Accept Answer.

And, if you have any further questions do let us know.

Answer 1

Hello @Pawaskar, Riyanka Digambar ,

I understand that you have configured forced tunneling on your Azure point-to-Site VPN and are unable to access Internet from your client machine.

You can direct all traffic to the VPN tunnel by advertising 0.0.0.0/1 and 128.0.0.0/1 as custom routes to the clients but please note that Internet connectivity is not provided through the VPN gateway. As a result, all traffic bound for the Internet is dropped.

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes#forced-tunneling

Hence, you need to introduce another resource such as Azure Firewall or a NVA (Network Virtual Appliance) which can take care of the Internet connectivity.

But there is another limitation on the traditional VPN gateway (when I say traditional VPN gateway, I mean a VPN gateway without Virtual WAN solution, which is deployed directly into a Vnet) as below:

Traditional VPN gateways do not have the EnableInternetSecurity flag option. This flag is needed and must be set to true for your clients to be properly configured for forced-tunneling/accessing Internet via the VPN gateway.

Refer: https://learn.microsoft.com/en-us/powershell/module/az.network/set-azvirtualnetworkgateway?view=azps-10.1.0

The P2S VPN gateway under Virtual WAN Hub has the EnableInternetSecurity option.

Refer: https://learn.microsoft.com/en-us/powershell/module/az.network/update-azp2svpngateway?view=azps-10.1.0

So, in order to reach the Internet via Azure P2S VPN gateway, you need to deploy a secured virtual hub with Azure firewall manager and add the P2S VPN Gateway to allow your egress traffic that will be controlled by a firewall policy.

Refer: https://learn.microsoft.com/en-us/azure/firewall-manager/secure-cloud-network

When you secure Internet traffic via Azure Firewall (Firewall Manager), you can advertise the 0.0.0.0/0 route or any custom route to your VPN clients. This makes your clients send the Internet bound traffic to Azure for inspection. Then, firewall SNATs the packet to the Public IP of Azure Firewall for egress to Internet.

To do this, you need to setup an Azure Firewall & then configure a Policy to allow P2S traffic to Internet.

You can also use a NVA instead of Azure Firewall as per your requirement.

To advertise custom route to your VPN clients, refer:

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes

You can also add the route directly in your downloaded azurevpnconfig.xml file as below:

<clientconfig>
 <includeroutes>
     <route>
         <destination>1.2.3.4</destination><mask>32</mask>
     </route>
 </includeroutes>
</clientconfig>

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/azure-vpn-client-optional-configurations#add-custom-routes

You can refer the below doc which explains how to configure forced tunneling for Virtual WAN Point-to-site VPN and take inputs on the configuration: https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-forced-tunnel

Another reference for you: https://learn.microsoft.com/en-us/answers/questions/1178804/public-ip-of-azure-vpn-p2s-and-internet-access-via

Kindly let us know if the above helps or you need further assistance on this issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Tomasz Wieczorkowski 56 Reputation points

2024-11-05T21:20:52.48+00:00

Hi, Feel free to take a look at my solution below. Maybe it will be helpfull for you and other Microsoft clients & users :)

Answer 2

Hi Guys,

I've tested this issue.

Steps performed:

New Azure VPN config downloaded from the Azure Portal VPN Gateway P2S (doesn't work)
Checking of ipconfig /all , route print, tracert, nslookup, test-netconnection, telnet, wifi/wired interfaces settings (all checked, no issues)
The problem is somehow related to the the Microsoft EDGE web browser DNS settings. When open Microsoft EDGE -> Settings -> search for "dns" -> look for "Use secure DNS to specify how to lookup the network address for websites". By default there is a settings set "Use current service provider". To solve the case and have the internet connection while on Azure VPN select "Choose a service provider", click in the empty field below and select e.g. "Cloudflare (1.1.1.1)". It will appear as "https://chrome.cloudflare-dns.com/dns-query". Screens attached. Then reboot the web browser - Microsoft Edge - and the internet will start to work right away.

20241105 edge dns1

20241105 edge dns2

Security info: In this Cloudflare DNS is used to resolve your DNS queries. If you do not want to do that try with your own DNS servers or other DNS you prefer in this step.

NOTE: If this will help you feel free to leave short comment or just share this to other that have such issue.

In case of questions feel free to let me know via comments as well.

Best regards,

Tomasz Wieczorkowski

Share via

I am unable to access Internet when connect to Azure VPN(Vnet gateway VPN)

2 answers

Your answer