This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 10%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENS%3C/text%3E%3C/svg%3E)
I have a single VNet in Azure with the address space 10.2.0.0/16
It has 3 subnets,
GatewaySubnet: 10.2.2.0/28
Core: 10.2.1.0/24
VirtualDesktops: 10.2.3.0/24
I have an on prem network that is connected with a S2S VPN using a route based virtual network gateway. The on prem network has an address space of 10.0.0.0/24 with a static route for all addresses in 10.2.0.0/16 to be sent over the VPN
If I create a VM in the Core subnet, I can RDP to it with its private IP address from my on prem system no problem. If I move that same VM into the VirtualDesktops subnet, I can't connect to it. If I spin up a new VM in that subnet I can't connect to it.
There are no NSGs stopping traffic. I even created one that allows everything from 10.0.0.0/24 to 10.2.3.0/24 in case something was being blocked.
I thought that all subnets could communicate with each other by default. Is there something I'm missing to communicate with the VirtualDesktops subnet?
Thanks
Update: If I RDP into the system on the Core subnet, I can RDP into the system on the VirtualMachines subnet from that machine.
Have you tried to reset the tunnel ?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 36%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
@Nick Sutton Can you try to enable the option - UsePolicyBasedTrafficSelectors** to "True"?
($True/$False; Optional, default $False if not specified)
Setting "UsePolicyBasedTrafficSelectors" to $True on a connection will configure the Azure VPN gateway to connect to policy-based VPN firewall on premises. If you enable PolicyBasedTrafficSelectors, you need to ensure your VPN device has the matching traffic selectors defined with all combinations of your on-premises network (local network gateway) prefixes to/from the Azure virtual network prefixes, instead of any-to-any. For example, if your on-premises network prefixes are 10.1.0.0/16 and 10.2.0.0/16, and your virtual network prefixes are 192.168.0.0/16 and 172.16.0.0/16, you need to specify the following traffic selectors:
10.1.0.0/16 <====> 192.168.0.0/16
10.1.0.0/16 <====> 172.16.0.0/16
10.2.0.0/16 <====> 192.168.0.0/16
10.2.0.0/16 <====> 172.16.0.0/16
For more information regarding policy-based traffic selectors, see Connect multiple on-premises policy-based VPN devices.Hope this helps.
Thanks for the tip. That didn't work though.
I gave that a go but no joy. My layout is only one VNet to one on-prem network. My layout is as below. I can connect from on-prem to Core, but not on-prem to VirtualDesktops
Sorry, this was user error. While I did have a static route setup correctly for the entire address space, the firewall policy rule was only applying to 10.2.1.0/24. I changed it to the entire address space and, as expected, all is fine.
Thanks for the tips.