I'm working on my own learning/test environment, and have configured the VPN gateway to the point where I can successfully connect to it from an Azure-joined and logged into workstation. However, I cannot ping or reach any resources across the VPN by IP. It's almost as if the Gateway doesn't recognize it's connected to the rest of the VNET/Subnets. I've tried to research this issue but there's nothing out there that says I need to tell the gateway what it can/can't route to within the VNET.
I currently have only two VNETs setup, one that was created for AADDS and one for everything else. That VNET has IP's set the following way:
Overall Address Space - 10.168.240.0/24
Production - 10.168.240.0/25
Development - 10.168.240/26
GatewaySubnet - 10.168.240.192/28
The production subnet has a storage account, with file shares setup. The storage account and file shares have permissions set on them so I'm allowed to access them. They also are set to allow all VNETs and all Subnets to connect as selected networks. The storage account does have ADDS enabled. haven't changed any settings other than those listed so far on storage. The storage account has a private endpoint of 10.168.240.6.
The gateway, in it's "Properties" section does list the subnet as GatewaySubnet (10.168.240.192/28). However it is not listed as having any IP in that subnet in the virtual network/subnet view. The Point-To-Site configuration is set to use 10.168.241/24 as the address pool for connected clients, and it does give out an address there.
As I mentioned, the only glaring thing I can see is that in my VNET overview, I see the storage account as having an IP in the Production subnet (10.168.240.6) but the gateway is listed as having no IP, but is correctly associated with GatewaySubnet (10.168.240.192/28).
In my on-prem networking experience, this whole scenario would point to the gateway not having an IP in the VNET as the problem, but I can't for the life of me figure out why. Either azure doesn't assign it one/doesn't need one (?) or something else needs to be done? Or, something completely unrelated to IP needs to be done to allow the gateway to pass traffic along to the other subnets?
I've used the network watcher topology report to see that yes, the gateway is noted as being tied in to the overall VNET along with the other subnets. In my tests the PC connected via P2S VPN can only ping the gateway's address inside the P2S pool, and NOTHING else. So I can ping 10.168.241.1 just fine. In the PC's configuration, it does list the Azure DNS starting with 168, but I can't ping that, nor can I ping the storage account's private endpoint on the production subnet.
Thoughts? I'm hoping I'm missing something silly.