I have two vnets in Azure: vnet-hub and vnet-spoke . vnet-hub has a virtual network gateway and a VM: vm-hub . vnet-spoke has a VM: vm-spoke . The vnets are peered and configured to allow access to each other and vnet-spoke allows the gateway in vnet-hub to forward traffic to it. Neither VM has a public IP address. Windows Firewall is turned off on both VMs. When connected to the VPN I can establish an RDP connection to vm-hub using its private IP address, but not to vm-spoke . I can also establish an RDP connection from vm-hub to vm-spoke . Why can't I connect directly to vm-spoke , please?

Hello @Ben McFadden , Thanks for reaching out to Microsoft Q and A platform. I understand that you unable to Access the Spoke Vnet from on premise, could you please verify the following steps? Please check the NSG of the incoming traffic on the Spoke Vnet or the VM. They must allow your on-premise. Try to enable the Psping from on premise to spoke VM, this error message would give you more about the reachability. Make sure to Add the Route to the Spoke Vnets on the On-premise side, so that it knows where to forward the traffic when reach the Spoke. Please do analyze the Effective Routes on the Spoke VM NIC, which would confirm what route it takes for the On-premise Address Range. If these routes are configured correctly, then your troubleshooting must be with On-premise Firewall and Route. Regards, Priya Kumar.

Hi @ Ben McFadden , do you added a route in your on-premises network pointing to the vnet-spoke? If you take a look in the routing table of your on-premises device is there a route to the vnet-spoke? Kind regards Andreas Baumgarten

Why can't I access my VM in a peered vnet over VPN?

Accepted answer

Priya Kumar 1,096 Reputation points Microsoft Employee

2024-01-17T07:29:03.5733333+00:00
Hello @Ben McFadden ,

Thanks for reaching out to Microsoft Q and A platform.

I understand that you unable to Access the Spoke Vnet from on premise, could you please verify the following steps?

Please check the NSG of the incoming traffic on the Spoke Vnet or the VM. They must allow your on-premise.

Try to enable the Psping from on premise to spoke VM, this error message would give you more about the reachability.

Make sure to Add the Route to the Spoke Vnets on the On-premise side, so that it knows where to forward the traffic when reach the Spoke.

Please do analyze the Effective Routes on the Spoke VM NIC, which would confirm what route it takes for the On-premise Address Range.

If these routes are configured correctly, then your troubleshooting must be with On-premise Firewall and Route.

Regards, Priya Kumar.
Please sign in to rate this answer.
Ben McFadden 31 Reputation points

2024-01-17T08:11:59.1866667+00:00

Hi @Priya Kumar

Thanks for your reply.

Here are my responses to your points.

There is no NSG on the spoke vnet and I have removed the NSG that was on the VM to no avail.

I'm using a Mac and don't have access to a Windows machine, so I can't use PsPing.

The routes appear to be configured correctly. The VPN client that I've downloaded from the gateway's P2S config page shows the routes correctly as far as I can tell. When I set up a new test spoke vnet and VM everything worked as it should.

I'm not sure how to interpret the effective routes table, so I'll do some research on this.

There is no on-prem firewall. And as per point 3, when I set up a new test spoke vnet and VM everything worked as it should, so I'm confident the problem is on Azure's side.

Priya Kumar 1,096 Reputation points Microsoft Employee

2024-01-17T08:22:45.7733333+00:00

@Ben McFadden ,

Please do refer the link: NIC Effective Route

Please verify the Route from "Working" and "Non working" Spoke VM's.

Also, have you downloaded the Generic File first and then created the Old Peering? If so then again Download the New Generic from Portal and Install the Client on MAC.

Regards, Priya Kumar

Ben McFadden 31 Reputation points

2024-01-18T00:16:45.23+00:00

Thanks, @Priya Kumar. I've created a new test spoke vnet and VM and compared the effective routes with those of the non-working VM and found that the non-working VM is missing an entry for the virtual network gateway. Do you know how I might resolve this, please?

Ben McFadden 31 Reputation points

2024-01-18T00:26:53.3366667+00:00

Thanks again, @Priya Kumar. I've managed to resolve the problem by creating a new route table, adding the appropriate route and associating the table to the appropriate subnet. But I'd love to understand why I had to do this. Why was it necessary for this vnet and not the test vnets I created? If you could shed any light, I'd appreciate it.

Priya Kumar 1,096 Reputation points Microsoft Employee

2024-01-18T05:03:17.82+00:00

@Ben McFadden Glad you would able to resolve. If the issue got resolved when you added the Route Table, then am sure there would have been an BGP or Expressroute connection to this Vnet, which was overriding the VPN route added on "Use remote Gateway".

Please do check from that perspective.

If multiple routes contain the same address prefix, Azure selects the route type, based on the following priority:

User-defined route

BGP route

System route

Route Preference in VNet

Regards, Priya Kumar
Sign in to comment

Share via

Why can't I access my VM in a peered vnet over VPN?

1 additional answer