question

NickSutton-5470 avatar image
0 Votes"
NickSutton-5470 asked NickSutton-5470 answered

Access one subnet but not another from on-prem

I have a single VNet in Azure with the address space 10.2.0.0/16

It has 3 subnets,
GatewaySubnet: 10.2.2.0/28
Core: 10.2.1.0/24
VirtualDesktops: 10.2.3.0/24

I have an on prem network that is connected with a S2S VPN using a route based virtual network gateway. The on prem network has an address space of 10.0.0.0/24 with a static route for all addresses in 10.2.0.0/16 to be sent over the VPN

If I create a VM in the Core subnet, I can RDP to it with its private IP address from my on prem system no problem. If I move that same VM into the VirtualDesktops subnet, I can't connect to it. If I spin up a new VM in that subnet I can't connect to it.

There are no NSGs stopping traffic. I even created one that allows everything from 10.0.0.0/24 to 10.2.3.0/24 in case something was being blocked.

I thought that all subnets could communicate with each other by default. Is there something I'm missing to communicate with the VirtualDesktops subnet?

Thanks

remote-desktop-servicesazure-vpn-gateway
· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@NickSutton-5470 Can you try to enable the option - UsePolicyBasedTrafficSelectors** to "True"?
($True/$False; Optional, default $False if not specified)

Setting "UsePolicyBasedTrafficSelectors" to $True on a connection will configure the Azure VPN gateway to connect to policy-based VPN firewall on premises. If you enable PolicyBasedTrafficSelectors, you need to ensure your VPN device has the matching traffic selectors defined with all combinations of your on-premises network (local network gateway) prefixes to/from the Azure virtual network prefixes, instead of any-to-any. For example, if your on-premises network prefixes are 10.1.0.0/16 and 10.2.0.0/16, and your virtual network prefixes are 192.168.0.0/16 and 172.16.0.0/16, you need to specify the following traffic selectors:

10.1.0.0/16 <====> 192.168.0.0/16
10.1.0.0/16 <====> 172.16.0.0/16
10.2.0.0/16 <====> 192.168.0.0/16
10.2.0.0/16 <====> 172.16.0.0/16

For more information regarding policy-based traffic selectors, see Connect multiple on-premises policy-based VPN devices.Hope this helps.


1 Vote 1 ·

I gave that a go but no joy. My layout is only one VNet to one on-prem network. My layout is as below. I can connect from on-prem to Core, but not on-prem to VirtualDesktops

144447-image.png


0 Votes 0 ·
image.png (41.7 KiB)

Update: If I RDP into the system on the Core subnet, I can RDP into the system on the VirtualMachines subnet from that machine.

0 Votes 0 ·

Have you tried to reset the tunnel ?

1 Vote 1 ·

Thanks for the tip. That didn't work though.

0 Votes 0 ·

1 Answer

NickSutton-5470 avatar image
1 Vote"
NickSutton-5470 answered

Sorry, this was user error. While I did have a static route setup correctly for the entire address space, the firewall policy rule was only applying to 10.2.1.0/24. I changed it to the entire address space and, as expected, all is fine.

Thanks for the tips.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.