GarrettWengreniuk-8767 avatar image
0 Votes"
GarrettWengreniuk-8767 asked GitaraniSharmaMSFT-4262 answered

Connect to on-premise servers via Azure VPN gateway via existing S2S connection

Hi All,

We presently have an Azure VPN that connects to our Azure-based infrastructure (10.3.x.x.), and a site-to-site VPN that connects back to our physical office (10.1.x.x). We're looking to replace our Remote Desktop Gateway at the physical office, and instead use the single VPN connection to access both IP ranges. Not sure if this is possible with Azure, so figured I'd ask the gurus here.

We already have connectivity from the Azure environment to the physical office via a Site to Site VPN, and that part works, so I think what I'm needing here is a way for the client machine to understand that the 10.1.x.x traffic should also be routed via the VPN and then use the existing tunnel. In case I explained that poorly, I can connect to the Azure VPN and onto a server in Azure (10.3.x.x), and then from there remote desktop to a machine at the physical office (10.1.x.x), but ideally I want to connect directly through the VPN without logging onto the Azure-based server.

Maybe not possible in Azure, but it would mean we only need a single VPN for our users so it's the ideal approach.

Anybody have experience with this, and if so, can you point me to any configuration docs / assistance?

Any insight / ideas / suggestions are appreciated.



· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @GarrettWengreniuk-8767 ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

Could you please provide a network diagram of your setup for more clarity?

I understand you have a site to site VPN connection between your on-premises (10.1.x.x) & Azure but then you say you have an Azure VPN that connects to Azure (10.3.x.x) - are you referring to Azure point to site VPN here?
Also, what is the VPN device in your on-premises that is connecting to Azure VPN gateway via the site to site connection?

The site to site VPN connection should be bi-directional which means both way traffic should go via that connection. I would need some more details on your setup for further discussion on this.


0 Votes 0 ·

Hi Gita,

Here's a very rough drawing -- it's a quite simple setup as it is now.

I or the users are the bottom right corner, using the Azure VPN client to connect to our Azure environment. I can login to servers using RDP in that environment from my laptop.

From the Azure environment, I can RDP to devices in the On-Premise environment (left side). But I cannot RDP to On-Premise servers from my laptop, as it doesn't seem I have a route from my laptop to the 10.1.1/24 devices via the Azure VPN.

So I think I have a route from the laptop to Azure, and Azure to On-Premise, but not Laptop (VPN) to On-Premise. I'm assuming there's a configuration or rule I'd need to add in Azure to add this route when a VPN user connects.

The device on the On-Premise side is a Sonicwall, and that S2S connection is working from Azure.

Let me know what else might help for information to assist.

Thanks in advance for your help!



0 Votes 0 ·
drawing1.png (43.7 KiB)

1 Answer

GitaraniSharmaMSFT-4262 avatar image
0 Votes"
GitaraniSharmaMSFT-4262 answered

Hello @GarrettWengreniuk-8767 ,

In order for you to be able to access your on-prem network (which is connected to Azure VPN by site to site connection) from your Point to site VPN client/laptop, your Site-to-Site VPN connection should be running BGP.

If your site to site connection between Azure and On-prem uses BGP, then you can just manually add the routes for your on-prem network to the Windows P2S client and will be able to access the on-prem network from your point to site connection/client. For non-windows clients, you do not need to add the manual routes as BGP is enough for the routes to be propagated.

To manually add the On-prem network route, you can browse to %AppData%\Microsoft\Network\Connections\Cm*yourGuid\routes.txt (C:\Users\userID\AppData\Roaming\Microsoft\Network\Connections\Cm*VPNGuid*\routes.txt)* in your client machine and add the route in this text file.

Please refer :

Kindly let us know if the above helps or you need further assistance on this issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.