On-prem network access to Azure nested VM via site-to-site VPN

NWR 1

Azure VM with nested hv vm.
Site-to-site VPN established between on-prem network and Azure.
Nested VM can access the internet, the Azure VM, and the on-prem network.
The Azure VM can communicate with the nested VM.
On-prem can access azure vm but cannot access nested vm.

Configured the nested VM per: https://learn.microsoft.com/en-us/azure/virtual-machines/windows/nested-virtualization

Tried some other RRAS and NAT configurations found online, to no avail.

However, we must be able to hit the nested vm from the on-prem network via the site-to-site vpn.

Please advise.

NWR 1 Reputation point

2020-08-17T21:06:00.297+00:00

iSo, i added a nat rule on the hv host and that is working, but i would like to ensure the network design is solid, i added an extra nic to the hv host and have some azure routes etc. and now i'm not sure i need all that. we need to finish testing in order to confirm this solution and go live, so a confirmation of the design would be excellent.

please advise.
Marco Machado 1 Reputation point

2020-10-26T15:20:21.127+00:00

Hi NWR,

Are you able to explain what you exactly did to resolve this issue? I have the same exact issue as you... from the nested VM i can ping and access both the azurevm/hyperv host and any on-prem (via S2S vpn) servers but from the on-prem servers i can only reach the azurevm/hyperv host and not the nested VM. I tried adding a NAT rule on the host to forward RDP to the nest vm and funny enough I'm able to access it externally (via public ip) but again not from the on-prem servers which is weird...
Thank you.

Setup as per below.
AzureVM/HyperV (Internal NAT - two cards NAT&LAN - RRAS, DHCP etc,)
Azure Route Tables for Nested VMs
etc.
https://abouconde.com/2020/06/30/deploying-and-configuring-nested-virtualization-with-dv3-or-ev3-series-virtual-machine-in-azure/
Adam Badley 1 Reputation point

2021-06-30T15:05:03.723+00:00

Same scenario here...how did you get it working?

3 answers

GitaraniSharma-MSFT 47,421 Reputation points Microsoft Employee

2020-08-20T02:15:14.253+00:00

Hello @NWR ,

By default, there is no inbound access from the Azure Vnet to the VMs on the Hyper-V VM. In order to bridge the VMs on the Hyper-V VM to the Azure VNET, Port forwarding on the Hyper-V VM's virtual switch are required. Hence creating a NAT rule will make it work.
Please refer : https://petri.com/create-nat-rules-hyper-v-nat-virtual-switch

AFAIK, this network design is apt.

Kindly let us know if you need any further assistance on this issue from our end.

----------------------------------------------------------------------------------------------------------------

Please don’t forget to "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.
Please sign in to rate this answer.
GitaraniSharma-MSFT 47,421 Reputation points Microsoft Employee

2020-08-21T05:27:30.277+00:00

Hello @NWR ,

Could you please provide an update on this post?

Kindly let us know if the above helps or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please don’t forget to "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.

GitaraniSharma-MSFT 47,421 Reputation points Microsoft Employee

2020-08-24T07:32:41.627+00:00

Hello @NWR ,

Just checking in to see if the above answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks,
Gita

Chris H 0 Reputation points

2024-04-16T19:54:13.55+00:00

Need to have all traffic all ports flowing, NAT rules seem to only offer nat'ing one port at a time
Sign in to comment
NWR 1 Reputation point

2020-08-25T15:44:30.62+00:00

Hi Gita,

Thank you for the reply. I guess I was wondering if I absolutely need 2 nics on the hyper-v host along with adding RRAS with the manual routes and nats, just to get to the guest vm via the nat. However, allow me to review the petri solution and i'll reply soon.
Please sign in to rate this answer.
GitaraniSharma-MSFT 47,421 Reputation points Microsoft Employee

2020-08-28T07:20:10.917+00:00

@NWR , thank you for the update. Will wait for your next response.

GitaraniSharma-MSFT 47,421 Reputation points Microsoft Employee

2020-09-01T08:07:31.26+00:00

@NWR , just checking in to see if there is any update from your end regarding this issue.

Thanks!

GitaraniSharma-MSFT 47,421 Reputation points Microsoft Employee

2020-09-09T13:49:19.89+00:00

@NWR , just checking in to see if there is any update from your end regarding this issue.

Thanks!

GitaraniSharma-MSFT 47,421 Reputation points Microsoft Employee

2020-09-15T08:05:37.783+00:00

Hello @NWR ,

Could you please provide an update on this post? We've not heard from you in sometime and would like to know if you have any further questions.

Thanks,
Gita
Sign in to comment
Mark Dayton 1 Reputation point

2021-10-15T14:21:06.997+00:00

Hi all, i too have this issue. Everything is working great apart from unable to access nested vm from on-prem network over S2S vpn. Can ping on-prem from within nested VM but cannot ping from on-prem to nested vm. Any help on pointers to the NAT rule required would be a huge help. Thanks
Please sign in to rate this answer.
Mark Dayton 1 Reputation point

2021-10-17T16:28:02.91+00:00

Managed a workaround for this, on the Azure VM running the Hyper V role (not nested) have added the below.
I can then access the nested vm on whichever port from on-prem devices, not quite perfect but it will do what i need.

netsh interface portproxy add v4tov4 listenaddress=<nat address> listenport=<random port> connectaddress=<nested vm address> connectport=<nested vm service port>

BR 0 Reputation points

2024-04-05T20:33:21.1333333+00:00

Hi @Mark Dayton !
I have the exact same as @NWR described initially, but would like the onprem device to be able to reach the nested vm by using it's own ip (not the external nat ip).
Everything else is working but seems the onprem device is not aware of the azure route table somehow ?

Any tip is appreciated!
Sign in to comment