question

NWR-8313 avatar image
0 Votes"
NWR-8313 asked MarkDayton-8367 commented

On-prem network access to Azure nested VM via site-to-site VPN

Azure VM with nested hv vm.
Site-to-site VPN established between on-prem network and Azure.
Nested VM can access the internet, the Azure VM, and the on-prem network.
The Azure VM can communicate with the nested VM.
On-prem can access azure vm but cannot access nested vm.

Configured the nested VM per: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/nested-virtualization

Tried some other RRAS and NAT configurations found online, to no avail.

However, we must be able to hit the nested vm from the on-prem network via the site-to-site vpn.

Please advise.


azure-vpn-gatewayazure-network-watcher
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

iSo, i added a nat rule on the hv host and that is working, but i would like to ensure the network design is solid, i added an extra nic to the hv host and have some azure routes etc. and now i'm not sure i need all that. we need to finish testing in order to confirm this solution and go live, so a confirmation of the design would be excellent.

please advise.

0 Votes 0 ·

Hi NWR,

Are you able to explain what you exactly did to resolve this issue? I have the same exact issue as you... from the nested VM i can ping and access both the azurevm/hyperv host and any on-prem (via S2S vpn) servers but from the on-prem servers i can only reach the azurevm/hyperv host and not the nested VM. I tried adding a NAT rule on the host to forward RDP to the nest vm and funny enough I'm able to access it externally (via public ip) but again not from the on-prem servers which is weird...
Thank you.

Setup as per below.
AzureVM/HyperV (Internal NAT - two cards NAT&LAN - RRAS, DHCP etc,)
Azure Route Tables for Nested VMs
etc.
https://abouconde.com/2020/06/30/deploying-and-configuring-nested-virtualization-with-dv3-or-ev3-series-virtual-machine-in-azure/




0 Votes 0 ·

Same scenario here...how did you get it working?

0 Votes 0 ·
GitaraniSharmaMSFT-4262 avatar image
0 Votes"
GitaraniSharmaMSFT-4262 answered GitaraniSharmaMSFT-4262 commented

Hello @NWR-8313 ,

By default, there is no inbound access from the Azure Vnet to the VMs on the Hyper-V VM. In order to bridge the VMs on the Hyper-V VM to the Azure VNET, Port forwarding on the Hyper-V VM's virtual switch are required. Hence creating a NAT rule will make it work.
Please refer : https://petri.com/create-nat-rules-hyper-v-nat-virtual-switch

AFAIK, this network design is apt.

Kindly let us know if you need any further assistance on this issue from our end.


Please don’t forget to "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @NWR-8313 ,

Could you please provide an update on this post?

Kindly let us know if the above helps or you need further assistance on this issue.


Please don’t forget to "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.

0 Votes 0 ·

Hello @NWR-8313 ,

Just checking in to see if the above answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks,
Gita

0 Votes 0 ·
NWR-8313 avatar image
0 Votes"
NWR-8313 answered GitaraniSharmaMSFT-4262 commented

Hi Gita,

Thank you for the reply. I guess I was wondering if I absolutely need 2 nics on the hyper-v host along with adding RRAS with the manual routes and nats, just to get to the guest vm via the nat. However, allow me to review the petri solution and i'll reply soon.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@NWR-8313 , thank you for the update. Will wait for your next response.

0 Votes 0 ·

@NWR-8313 , just checking in to see if there is any update from your end regarding this issue.

Thanks!

0 Votes 0 ·

@NWR-8313 , just checking in to see if there is any update from your end regarding this issue.

Thanks!

0 Votes 0 ·

Hello @NWR-8313 ,

Could you please provide an update on this post? We've not heard from you in sometime and would like to know if you have any further questions.

Thanks,
Gita

0 Votes 0 ·
MarkDayton-8367 avatar image
0 Votes"
MarkDayton-8367 answered MarkDayton-8367 commented

Hi all, i too have this issue. Everything is working great apart from unable to access nested vm from on-prem network over S2S vpn. Can ping on-prem from within nested VM but cannot ping from on-prem to nested vm. Any help on pointers to the NAT rule required would be a huge help. Thanks

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Managed a workaround for this, on the Azure VM running the Hyper V role (not nested) have added the below.
I can then access the nested vm on whichever port from on-prem devices, not quite perfect but it will do what i need.

netsh interface portproxy add v4tov4 listenaddress=<nat address> listenport=<random port> connectaddress=<nested vm address> connectport=<nested vm service port>

0 Votes 0 ·