Hi there. I am new to Azure and I need some advice. I set up an Azure VM with Windows Server 2019 Datacenter. After deploying the VM I have the VM, a public IP, and a virtual network, called VNet1 (for example). Connecting to this VM via the public IP and with an all-open 3389 works fine. But of cource, I do not want to all-open this port to public internet! So I want to securely connect to this VM via RDP using an VPN. I used to "step-by-step-describtion" at https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal to set up the point-to-site-VPN With this tutorial I created a new virtual network called VNet2 and a virtual network gateway VNet2GW with a public IP VNet2GWpip. Everything worked fine, and now I can connect via VPN to the VNet2GWpip and then I have a local IP in the VNet2. But now the question: How can I make it work, that I now can connect to VM via RDP and the local IP in VNet1 from the VNet2. I set an inbound rule in the VM that says, that 3389 is open from VNet2 to local VM IP address in VNet1, but that does not work. Do I have to set up anything else? Where is the error? Thank you for any help oder advice Regards, Benjamin

If you deployed the VPN Gateway to a different VNET (not a requirement by the way) then you would need to peer the two VNETs together. Please see guide here: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering Once the two VNETs are peered they can talk to each other and you should be able to access your VM by its private IP address.

Secure Connect to Azure Vm via VPN and RDP

Accepted answer

Alan Kinane 16,786 Reputation points MVP

2021-10-14T13:20:17.29+00:00

If you deployed the VPN Gateway to a different VNET (not a requirement by the way) then you would need to peer the two VNETs together. Please see guide here: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering

Once the two VNETs are peered they can talk to each other and you should be able to access your VM by its private IP address.
Please sign in to rate this answer.

1 person found this answer helpful.
Benjamin Stehle 21 Reputation points

2021-10-14T13:45:54.977+00:00

I was not able to add a Gateway to the first VNET ("VNet1")

I set up 2 Peerins - one from VNet1 to VNet2 und one from VNet2 to VNet1
But anyway I can´t "speak" from the VNet2 to the VNet1 - neither ping nor RDP.

Alan Kinane 16,786 Reputation points MVP

2021-10-14T13:53:13.613+00:00

I forgot to mention once you set up the peering you will need to download the VPN configuration file again as this will have been updated with the new routes required - see here: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing#multipeered

Benjamin Stehle 21 Reputation points

2021-10-14T14:01:26.283+00:00

Thank you for your hints and patience. Sadly it does not work. I deleted the VPN-settings from Windows VPN manager, than downloaded the VPN configuration file again, reinstalled it and connected to it. Still got the local IP in VNet2, but can´t "speak" to VNet1 neither via ping nor RDP :-(

Alan Kinane 16,786 Reputation points MVP

2021-10-14T14:10:08.17+00:00

If they are Windows VMs, just make sure it's not Windows Firewall or any installed Anti Virus software that is preventing access.

You should have been able to deploy a VPN gateway on VNet1. As long as the address space of the VNet is big enough to allow you to create a gateway subnet for the VPN gateway. Otherwise it might be worth deploying a temporary VM into VNet2 just to confirm the peering is working correctly.

Benjamin Stehle 21 Reputation points

2021-10-14T14:58:01.913+00:00

Now I was able to add a Gateway to the VNet1.
But when trying to save an address pool for the point-to-site-configuration, I get an error.

The VNet1 address range is 10.0.0.0/24
The address pool I try to save is 10.0.0.64/27

The error says:
Error saving the virtual network gateway "Gatewayname". Error: The VPN client address pool for the virtual network gateway overlaps with the virtual network address space. The overlapping address space prefixes are 10.0.0.0/24 and 10.0.0.64/27.

So how can I add an address ppol for the p2s connection within the VNet1 if I are not allowed to add an address pool within this range of VNet1?

Alan Kinane 16,786 Reputation points MVP

2021-10-14T15:05:23.383+00:00

Just use a different address space for the P2S connections such as 172.168.0.0/24. It does not need to be within the VNET address space and in fact this is not supported as you can see.

Benjamin Stehle 21 Reputation points

2021-10-14T15:20:53.657+00:00

It works. Thank you!!

But I still got one more problem:

I set up the Access control (IAM) and added a role assignment for my AAD user with Virtual Machine Administrator Login role.
With "all-open" 3389 port to the public internet I could open an RDP session and log on with my AAD-credentials.

But now - with only RDP open to VirtualNetwork, log on with AAD credentials failed.

Do I have to do something special to make this work?

Alan Kinane 16,786 Reputation points MVP

2021-10-14T15:25:34.813+00:00

The behaviour should be the same, are you connecting from a device that is registered or joined to the same AAD tenant?

See the below you might need to modify your RDP file to include the following lines:
username:s:.\AzureAD\YOURNAME@YOURDOMAIN.com
enablecredsspsupport:i:0
authentication level:i:2

https://www.hanselman.com/blog/how-to-remote-desktop-rdp-into-a-windows-10-azure-ad-joined-machine

Benjamin Stehle 21 Reputation points

2021-10-14T15:44:20.727+00:00

Thank you very much.
You helped me so much.

Alan Kinane 16,786 Reputation points MVP

2021-10-14T16:04:27.427+00:00

No problem, can you accept the answer so that others might find the same solution in future? Thanks.

Ian Williamson 1 Reputation point

2022-10-07T15:39:44.71+00:00

It does not need to be within the VNET address space

Alan, could you explain this a bit further? I seem to be seeing the opposite:

Thanks!
(PS: Wow, those gateway prices!)

Alan Kinane 16,786 Reputation points MVP

2022-10-07T16:16:19.34+00:00

The gateway subnet is part of your virtual network so this needs to be within the VNET address space. This is where the virtual network gateway goes. The P2S address range is just an IP address range for your VPN clients, it is not a subnet of your VNET but an assignment range for the clients.

Ian Williamson 1 Reputation point

2022-10-07T17:48:15.757+00:00

Thanks for solving my reading problem. :-)

To be clear about your original answer, can one just use the Vnet that gets created along with a VM (and its default subnet) rather than creating everything from scratch per the instructions: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal ?

Alan Kinane 16,786 Reputation points MVP

2022-10-10T08:15:27.067+00:00

Yes, you can use your existing VNET but just remember the VPN gateway needs its own dedicated subnet and this must be called GatewaySubnet so you will have to create this subnet on your existing VNET.

Ian Williamson 1 Reputation point

2022-10-19T13:16:39.773+00:00

For anyone having issues with using the default subnet, it may be covering the entire address range for the virtual network, leaving no room for the GatewaySubnet. As mentioned in the link I posted above, the solution is to add a range to the vnet - e.g. 10.0.240.0/24 so there is room for the gateway subnet.

Kasun Lokuliyana 2 Reputation points

2023-08-05T16:28:49.53+00:00

VNET1 nas VNET2 needs to be peered. It's not an optimal solution though. It's best to simoley create a point to site connection between the VNET1 and your computer.
Sign in to comment

Secure Connect to Azure Vm via VPN and RDP

0 additional answers