Cannot connect to Azure VPN Gateway via Private IP Address

Question

Cannot connect to Azure VPN Gateway via Private IP Address

Mandyam Bhoolokam Alwar Srinivas 0

Hello,

My goal is to connect to an Azure VPN Gateway through a private ip address.

For this, I have an instance of Azure VPN Gateway and I in the Settings > Configuration menu I have enabled the Gateway Private IPs option.

Screenshot 2023-12-20 at 16.32.13

Screenshot 2023-12-20 at 16.38.12

Now, in the Overview > Show More, I see that the VPN Gateway has an additional Private IP Address (10.2.1.6).

Screenshot 2023-12-20 at 16.36.21

I have also an instance of Windows VM running in the same VNET as the VPN Gateway. The VM itself has an ip address from the default subnet (10.2.0.4). As a first test, I tried to ping the private Ip address of the VPN gateway. Unfortunately this itself was unsuccessful.

vpn-gateway-private-ip-concept.drawio

What am I missing? Inputs are highly appreciated.

Is there any other way to use the private Ip address of the VPN gateway?

Crystal Lee Morgan 380 Reputation points

2023-12-20T18:22:46.6766667+00:00
@Mandyam Bhoolokam Alwar Srinivas

It seems that you are trying to connect to an Azure VPN Gateway through a private IP address 1. You have an instance of Azure VPN Gateway and have enabled the Gateway Private IPs option in the Settings > Configuration menu 1. You also have an instance of Windows VM running in the same VNET as the VPN Gateway, and the VM itself has an IP address from the default subnet (10.2.0.4) 1. However, when you tried to ping the private IP address of the VPN gateway, it was unsuccessful 1.

To connect to an Azure VPN Gateway through a private IP address, you need to configure the VPN Gateway to use a private IP address 2. You have already enabled the Gateway Private IPs option in the Settings > Configuration menu, which is the correct step 1. However, you also need to configure the routing table for the VNET to route traffic to the VPN Gateway through the private IP address 2. You can do this by adding a route to the routing table that specifies the private IP address of the VPN Gateway as the next hop 2.

Here are the steps to add a route to the routing table:

Open the Azure portal and navigate to the VNET that contains the VPN Gateway.

Click on the Subnets tab and select the GatewaySubnet.

Click on the Route table tab and click on the + Add button to add a new route table.

Enter a name for the route table and select the VNET that contains the VPN Gateway.

Click on the Routes tab and click on the + Add button to add a new route.

Enter a name for the route and specify the private IP address of the VPN Gateway as the next hop.

Click on the Save button to save the route.

After you have added the route to the routing table, you should be able to connect to the VPN Gateway through the private IP address 2.

I hope this helps you!
Mandyam Bhoolokam Alwar Srinivas 0 Reputation points

2023-12-21T19:12:32.3066667+00:00
Hello @Crystal Lee Morgan ,

Thank you very much for your response.

I did hopefully precisely as you said, unfortunately, still no luck. Please find below some screenshots about the configurations. Please let me know if I miss something.

I created a new route table as described here https://learn.microsoft.com/en-us/azure/virtual-network/manage-route-table.

Associated the GatewaySubnet with the route table.

Configured the route with the following configurations.

I am not sure if I have the right configuration for the Destination IP/CIDR as well as the Next hop address.

I also tried specifying the 10.2.0.0/24 (address range of default subnet) -> Did not work.

I tried associating the route to the default subnet instead of the GatewaySubnet. -> Did not work.

Still ping from the VM to the VPN Gateway is not working.
ChaitanyaNaykodi-MSFT 27,471 Reputation points Microsoft Employee Moderator

2024-01-04T16:34:57.82+00:00

@Mandyam Bhoolokam Alwar Srinivas

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

2 answers

Your answer

Crystal Lee Morgan 380 Reputation points

2023-12-20T18:22:46.6766667+00:00

@Mandyam Bhoolokam Alwar Srinivas

It seems that you are trying to connect to an Azure VPN Gateway through a private IP address 1. You have an instance of Azure VPN Gateway and have enabled the Gateway Private IPs option in the Settings > Configuration menu 1. You also have an instance of Windows VM running in the same VNET as the VPN Gateway, and the VM itself has an IP address from the default subnet (10.2.0.4) 1. However, when you tried to ping the private IP address of the VPN gateway, it was unsuccessful 1.

To connect to an Azure VPN Gateway through a private IP address, you need to configure the VPN Gateway to use a private IP address 2. You have already enabled the Gateway Private IPs option in the Settings > Configuration menu, which is the correct step 1. However, you also need to configure the routing table for the VNET to route traffic to the VPN Gateway through the private IP address 2. You can do this by adding a route to the routing table that specifies the private IP address of the VPN Gateway as the next hop 2.

Here are the steps to add a route to the routing table:

Open the Azure portal and navigate to the VNET that contains the VPN Gateway.

Click on the Subnets tab and select the GatewaySubnet.

Click on the Route table tab and click on the + Add button to add a new route table.

Enter a name for the route table and select the VNET that contains the VPN Gateway.

Click on the Routes tab and click on the + Add button to add a new route.

Enter a name for the route and specify the private IP address of the VPN Gateway as the next hop.

Click on the Save button to save the route.

After you have added the route to the routing table, you should be able to connect to the VPN Gateway through the private IP address 2.

I hope this helps you!
Mandyam Bhoolokam Alwar Srinivas 0 Reputation points

2023-12-21T19:12:32.3066667+00:00

Hello @Crystal Lee Morgan ,

Thank you very much for your response.

I did hopefully precisely as you said, unfortunately, still no luck. Please find below some screenshots about the configurations. Please let me know if I miss something.

I created a new route table as described here https://learn.microsoft.com/en-us/azure/virtual-network/manage-route-table.

Associated the GatewaySubnet with the route table.

Configured the route with the following configurations.

I am not sure if I have the right configuration for the Destination IP/CIDR as well as the Next hop address.

I also tried specifying the 10.2.0.0/24 (address range of default subnet) -> Did not work.

I tried associating the route to the default subnet instead of the GatewaySubnet. -> Did not work.

Still ping from the VM to the VPN Gateway is not working.
ChaitanyaNaykodi-MSFT 27,471 Reputation points Microsoft Employee Moderator

2024-01-04T16:34:57.82+00:00

@Mandyam Bhoolokam Alwar Srinivas

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Answer 1

msrini-MSFT 9,291 Microsoft Employee

Hi, Please make sure the VPN gateway the the VM from where you are trying the form the tunnel have IP connectivity. Also pinging the gateway private is not the right test. Can you try to do a NC to gateway private IP on port 179? Also make sure your NSG on the VM subnet is allowing this communication. And you don't need any UDR for this to work. Ideally I would suggest you to deploy this VM on a seperate vnet and peer them and then try to form the tunnel over private IP.

Answer 2

Tsvetomir Tsankov 0

The static route should be for BGP IP(/32) towards the Azure Virtual Gateway Private IP.

Share via

Cannot connect to Azure VPN Gateway via Private IP Address

2 answers

Your answer