Hi. With a lot of help from @GitaraniSharma-MSFT I have managed to configure a point to site azure vpn gateway/connection. I have connected the gateway to the vnet our users needed access to. Now, come to find out, there is another vnet that users needs access to, except it's just one machine. My question is, can I add another vnet in a different resource group to my already configured point to site configuration? Here is the best I can draw without any tools! lol Current situation using azure private ip: laptop ----Point to site VPN gateway1 connection--------vnet1 Desired situation using azure private ip: laptop------Point to site vpn gateway1 connection------vnet1-------vnet2 OR single VM within vnet2 So, once I'm connected to my vpn gateway1 connection , I also want to be able to connect to vnet1 AND vnet 2 using the same vpngateway1. Suggestions on how to accomplish this? I was thinking a vnet to vnet gateway between vnet1 and vnet2. Will that allow me to get to my resource on vnet2 through the original point to site connection currently in use? Thanks in advance! Sharyn

It should be enough to just create a peering between vnet 1 and vnet 2. In the configuration of the peering you can choose to allow vnet 2 to use the gateway in vnet 1, and unless you have created an alternative route in vnet 2 (which i assume you haven't) then that should pretty much work out of the box

Adding another vnet to a point to site vpn connection already configured

Accepted answer

Martin Meiner Tästensen 456 Reputation points

2022-04-12T18:55:23.623+00:00

It should be enough to just create a peering between vnet 1 and vnet 2.

In the configuration of the peering you can choose to allow vnet 2 to use the gateway in vnet 1, and unless you have created an alternative route in vnet 2 (which i assume you haven't) then that should pretty much work out of the box
Please sign in to rate this answer.
Sharyn Schmidt 241 Reputation points

2022-04-12T19:04:12.867+00:00

Thank you. Now I have a new, different requirement.

My boss just advised that he DOESN'T want users in vnet2 to have access to stuff in vnet1 and visa versa.

So, would I just configure another point to site connection for vnet2?

gateway1 for vnet1
gateway 2 for vnet2

no connection/access to vnet2 when vpn'd in to vnet1

no connection/access to vnet 1 when vpn'd in to vnet2

Thanks in advance.
Sharyn

Martin Meiner Tästensen 456 Reputation points

2022-04-12T19:24:48.883+00:00

Well, you are working towards a hub-spoke here.

Usually, you would create a HUB, that would handle the traffic to S2S or P2S connections, and then attach spokes as needed.

I would suspect you can archieve your goal by adding a NSG and remove the allow virtual network rule from it, and then only allow the addresses that are allowed to connect.

So, create a NSG and attach to the used subnet on VNET 1 and create a second NSG and attach to the subnet in VNET 2. In these NSG's, remove the default virtual network allow rule, and create the needed rules manually, and then create the peering between vnet 1 and vnet 2, where vnet 2 are allowed to use vnet 1 gateway as a gateway.

Disclaimer though, I have not tried that solution, but it should work and would still only require one gateway. But you would not be able to decide which user can connect to the VM in vnet 1 and which users can connect to the vnet 2 VM. You would only be able to distinguish trafic based on IP scope/address

Sharyn Schmidt 241 Reputation points

2022-04-12T20:43:30.047+00:00

Putting that thought aside for a minute, can I create 2 different point to site vpn connections , one going exclusively to vnet (which I already have), and one going to vnet2. The plan is to distribute the client xml to gateway1 to those users that need the vms in vnet1 and then gateway2 xml client config to users needing access to vnet2.

We are only talking about 2 users going to vnet2, everyone else goes to vnet 1.

Martin Meiner Tästensen 456 Reputation points

2022-04-12T20:58:48.66+00:00

Yes, but not in the same gateway.

So you would have to create a new gateway for vnet2, and configure that like you did for vnet 1. This does of cause require that you expand the ip scope in vnet 2, to be able to add the gateway subnet to that one aswell. But there is no technical reason why you can't create multiple vpn gateways.

You are paying by the hour for the gateway, so if you have 1 or 6 users doesen't really change that much (except the required SKU)

Sharyn Schmidt 241 Reputation points

2022-04-12T21:40:31.373+00:00

Thank you!

Lots of good ideas. I appreciate it!

Sharyn Schmidt 241 Reputation points

2022-04-13T11:42:14.383+00:00

One more question on this.....

Is there a way to clone my current gateway on vnet1, rename it, change the destination vnet and not have to fill out all that other stuff? Mostly I'm trying to skip having to copy and paste the tenant ID and the other things..issuer, etc

Martin Meiner Tästensen 456 Reputation points

2022-04-13T12:00:23.3+00:00

Well, that depends on which part of the configuration you wish to clone.

You get some of it provided by Azure. If you find the current Gateway, and in the left pane fint "export template", you would get some of it. I'm not sure if you will really save that much time in this case though, but there is no punishment for trying :-)

Sharyn Schmidt 241 Reputation points

2022-04-13T16:04:50.757+00:00

Hi.
I lied, This is not my last question but I may be in the wrong forum for this.

The vnet that I'm trying to use for gateway2 to vnet2 has a mask of 24. I have 2 vms in that resource group that need this gateway2 access. I can't change the private IPs of either of the 2 machines due to other software being configured to use the private IPs of those vms.

I can't configure another subnet for gateway subnet in vnet 2 since the subnet configured also has a mask of 24.

If I set up a new vnet and move the resources, the internal IPs are going to change.

So basically, the issue is that I need a vpn gateway to a vnet that has all useable IPs configured in a single /24 subnet and I can't change the private IPs.

Can I create an empty vnet, set up the vpn gateway, and give that empty vnet access to vnet2, the one that has no usable IP addresses in it?

Can I move the resources (there is a lot of stuff in there) to something else temporarily (like an hour), delete vnet2 and recreate it using the same address pool except for subnetting the vnet into blocks of useable IPs? I am at a loss.

Martin Meiner Tästensen 456 Reputation points

2022-04-13T16:11:46.443+00:00

The answer to the question is way more simple than you fear :)

Open your current vnet2, find address space, this is the entire vnet scope. here, you can simply add another scope, so if you use a /24 you can simply add another one there.

When you have added the scope to the vnet, create the new gateway, and it will find a "spot" for the gateway subnet, and you should be flying. Internally it will create all the required routing, so it's pretty much a "click-click-finish" solution to that problem.

ps. if my answers helped you, i would appreciate it if you marked is as "answer" :)

Sharyn Schmidt 241 Reputation points

2022-04-13T16:25:51.847+00:00

This sounded really easy but I'm getting an error about not being able to add additional address space to a vnet (vnet2) that has peerings. Our virtual meraki vpn concentrator is peered with the vnet1 and vnet2 with a site to site vpn connection from our corporate office to azure. Those folks who work in the office and are connected to our corporate network are able to just access any of the resources without remoting in to anything. Those that sometimes work from home, vpn into our on prem meraki and are routed thru our site to site vpn tunnel to the virtual meraki which is in turn peered with vnet 1 and 2. The virtual meraki sits in vnet 3.

I can't unpeer it but azure won't allow me to add additional address space to vnet2 because it's peered.

That was a great suggestion, now what?

Sharyn Schmidt 241 Reputation points

2022-04-13T16:40:56.587+00:00

Here is the error:

Martin Meiner Tästensen 456 Reputation points

2022-04-13T17:45:14.877+00:00

Well, that changes quite a few things.

So, just to clarify, there is a network topology in place, that corporate is responsible for? If yes, then there are a few things you need to verify, it's not nessesarily an issue, but there can be parts of the configuration that we can't control.

So, as a workaround to this, you can create a new VNET. You do not need to move ressources, that's not nessesary. the new vnet must have an unused IP scope that is not used in the current topology, you might have to verify this with corporate.

But first things first - and this is a requirement, you need to find the routing table. We need to know what traffic is routed through this meraki and what traffic is not. Please find vnet 2, open the subnet page, and look to the right. You will find a user defined route. You have to verify the configuration of this, and potentially add a route there. But first, please find the routes in that. I need to know these, you can annonomize the scope, but i need to know what has been created to know what can be done.

If the UDR allows it, we can create a new vnet and pair vnet 2 with this vnet, and then create a gatway in this new vnet. So it's not impossible yet, but it got a bit more complicated.

Are there any specific reasons why you can't use the same solution for the Client VPN as they do in corporate? VPN to the on-prem meraki, and use the site-to-site connection to reach the Azure ressources?

Sharyn Schmidt 241 Reputation points

2022-04-13T18:21:01.55+00:00

The folks accessing the azure vpn gateways to vnet1 and vnet are not employees. They are 3rd party vendors and should not have access to our corporate vpn or have the freedom to go where ever they want in Azure. That's why we need these vpn gateways. The vendors that need access to vnet1 will be given the client xml for gateway1. The vendors that need access to vnet2 will be given the client xml for vnet2.

I'm part of corporate, I just don't normally work from the office. I can do whatever needs to be done as long as I don't break production routes. I had an azure and meraki tech on the phone at the same time helping me to set this up 2 years ago when I knew nothing about Azure. I know enough now to be dangerous! Vnet3, where the meraki resides has vnet peerings to both vnet1 and vnet2. Vnet1 and Vnet 2 each have their own routing table allowing traffic back and forth from the vnets back to the meraki, then it gets routed down our vpn tunnel back to corporate.

Sharyn Schmidt 241 Reputation points

2022-04-13T18:21:23.433+00:00

So, we are trying to create different types of access, specific vendors for vnet1 coming from the outside in, specific vendors for vnet2 also coming in from the outside, then employees in corporate who work in the office and employees who work remotely from home (me and some others) have access to all resources in Azure, via the site to site always up tunnel, either connected directly to the corporate network or vpn'd in via our on prem meraki

I can easilly verify /create another vnet, our Azure network is not that big and I'm the one that created the vnets originally. And yes, it was very shortsighted of me to give vnet2 the entire range of Ips rather than subnetting them like I shouldve.

Martin Meiner Tästensen 456 Reputation points

2022-04-13T18:43:57.62+00:00

There can be many reasons why you would use the scope, or subnet like that, so i won't call it shortsighted.

But just to clarify. If there are routes from Azure to your meraki firewall which then forwards to corporate. Then the ressources in VNET1 and VNET2 will have access to these ressources. So even if they connect through a azure VPN gateway, and from there are limited to only connect to those vnet's, nothing will block them from using a ressource in those vnet's to connect to your on-prem environment.

But if you have access to the UDR, all you have to do know is create a new VNET, ensure that the network is not used elsewhere in your environment. Create the VPN gateway, peer VNET 2 and the new VNET. Change the UDR, so it will route traffic to the new IP scope microsoft backbone. And you will now have access. The new UDR will have priority over the expected 0.0.0.0 route, so that should be just fine.

I'm not judging or saying you aren't part of corporate, i just wish to ensure that noone does something that can compromise their own position in the company or the security of the specific company.

Sharyn Schmidt 241 Reputation points

2022-04-15T17:28:01.13+00:00

Hi.

I have totally hosed my connection internally and externally to vnet1 from gateway1.

I set up a 2nd gateway to vnet2, using a vnet (vnet3) created specifically for vnet2 gateway access. I peered vnet3 to vnet2 but that didnt work as far as being able to go to any resources.

Now, for whattever reason, I cant access anything on vnet1 using gateway1.

Worse, I cant access the resource on vnet1 that started all this gateway stuff, even goin thru my internal corp to azure tunnel.

I'm like totally hosed here. I deleted the peerings from vnet3 to vnet2 and deleted gateway2. I didn't change anything on gateway1 or vnet1 but something changed and I can't access vnet1 resource, not even with the public IP.

Any suggestions? At this point Id be happy just to regain RDP access to the vm in vnet1 that I did have access too. This was all working fine yesterday until this morning when I set up gateway2 to go to vnet2.

Martin Meiner Tästensen 456 Reputation points

2022-04-15T18:30:24.207+00:00

You have to elaborate on that one.

So you didn't change vnet1 or gateway1, and now it stopped working, after you created vnet3 and peered them.

I would expect it to be a client error, so I would suggest that you look at your client configuration, best guess is that something got mixed up there.

But to clarify. Gateway1 is a total seperate ressource, with it's own public IP and configuration. You can't break it by changing or building a ressource anywhere else in Azure.

Sharyn Schmidt 241 Reputation points

2022-04-15T19:16:35.42+00:00

Apparantly I broke the resource (VM). I rebooted it and it's fine now.

Let's move on to gateway2 which has to be recreated. The first time I tried connecting to gateway2 it connected fine but I couldn't get to any resource on vnet 2.

So here is what I did..unfortunately I cant fit the whole post or it whines about me having too many characters

I created a new vnet with 10.0.12.0/24. I subnetted that vnet (vnet3) for gateway2, 10.0.12.0/27. I installed and configured gateway2 and I gave it a block of client IPs that werent being used anywhere else. I connected to the gateway and saw that the vnet and client IP I received were what I had configured. I have no resources but the gateway in vnet3, that vnet was created just to house the gateway.

From there, I peered vnet3 with vnet2 but still couldnt connect to anything in vnet2 using gateway2. What did I miss? I have a few routing tables connected to vnet2 , and an nsg. The nsg is tied to the vnet2, not any specific machine and rdp is wide open so the nsg shouldn't have stopped me. Obviously I have missed something. The routing table all applies to the virtual Meraki. Gateway1 and vnet1 connected up right up once I got the client configuration correct. I was hoping that just peering vnet3 and vnet2 would take care of it but that is not the case.

Part2 coming....

Sharyn Schmidt 241 Reputation points

2022-04-15T19:18:07.22+00:00

Suggestions? I don't mind sending you the route tables but I'd just rather not post them on a public forum. The route tables all have to do with the Meraki. I have a route table attached to vnet1 and I didn't have an issue connecting to the resource in vnet1. I"m guessing the vnet peering is messing things up for vnet2 since the gateway is not in the same vnet as the resources. Is there any way to have the gateway connect to only 2 VMs in vnet2, rather than the whole vnet? Ideally that's what I would've liked for the vnet1 resource as well. But barring that, I need help apparently getting the gateway2 in vnet3 able to connect to the 2 resources I need in vnet2.

Thanks for any help you can provide

Sharyn

Martin Meiner Tästensen 456 Reputation points

2022-04-15T19:33:08.327+00:00

Well, firstly, we have to work with the info we can get.

Please open the routing table for vnet2, find the menu named "Effective routes", choose the subnet and NIC of the VM you have in that network.

It should show all routes that are active on the given NIC. Does it contain a route for 10.0.12.0/24? And if yes, is the status "Active"?

Next part, i suspect that you have a route for 0.0.0.0 for the Meraki firewall, but i have seen cases where all trafic is led that way. So can you confirm that the default rules are all there, except for the 0.0.0.0 rule for the meraki?

You should see rules for each of the peerings, so that should be something like:

Entry for peering to vnet 1 named "VNET peering" as next hop

Entry for peering to vnet 3 named "VNET peering" as next hop

Entry for 0.0.0.0 named Virtual appliance as next hop (i assume, i haven't configured a meraki firewall, but that's the way i would have done it)

Entry for <insert own ip scope here> to Virtual network

Do you see anything else than these?

Sharyn Schmidt 241 Reputation points

2022-04-15T20:50:07.72+00:00

Hi. Thanks for the response. I didn't know why all of a sudden I couldn't get into my resource on vnet1 so I DELETED everything having to do with gateway2 and vnet 3. The vpn gateway I have now that is working doesn't contain a peering. I will have to recreate the gateway2, vnet 3 where the gateway2, and the peering resided.

Ive got a hub and spoke configuration on the virtual meraki with a peering from vnet2 where the VM is located to vnetMeraki which sits on it's own vnet.

There is nothing for vnet3 because I deleted it. So here is what I have currently. There are IP address on the effective route table that I replaced with the vnet name for this post;

Default----->Active---->vnet2/24----->Virtual Network
Default----->Active---->vnetMeraki/28------->vnet peering
Default----->Active---->0.0.0.0/0-------------->Internet

Then I've got a bunch of user entries as opposed to default where the next hop is the virtual appliance (meraki)
All of these are routes back to corp thru the site to site vpn tunnel.........

Sharyn Schmidt 241 Reputation points

2022-04-15T20:50:45.307+00:00

So it sounds like i need to re create the vpn gateway2 and vnet3 and recheck this to see if the peering shows up on the nic of the resource. This is a great tool!

Let me go ahead and do that and confirm that the vnet peering shows up. I am going to peer vnet3 with vnet2 which is the vnet the vm I need this to work for is in.

I probably will not do this today, though, since it's Good FRiday but I"m pretty sure I'll have some time over the weekend.

Not sure if you check in over the weekend, but I'll send you a reply as soon as the vnet3 is recreated and peered

Sharyn Schmidt 241 Reputation points

2022-04-18T02:26:28.763+00:00

Hello! I am good to go with my routing, my vpn gateway, my peering, everything.

Everything is coming from and going to the places it's supposed to be, and coming back the same way it came in.

Thanks again for your help!

Martin Meiner Tästensen 456 Reputation points

2022-04-18T06:02:30.503+00:00

Great.

Sorry about the missing responses, but the last days around easter are days where we take time off in my country.

But glad you got it to work. Did you just configure it again and then it worked or did you change something?

Sharyn Schmidt 241 Reputation points

2022-04-18T14:23:05.843+00:00

I was very concerned about my traffic coming through the meraki to the resources would wind up going out the gateway vnet instead of back out the way it came in.

I over thought it like I normally do and wound up reconfiguring the peering many times until I discovered the troubleshooting tool in Azure that told me exactly what I had done wrong!

After that it worked fine.

Thanks for your help. I don't normally work on the weekends either so I didn't expect you were either, just hoping. No worries though, it's all good.
Sign in to comment

Share via

Adding another vnet to a point to site vpn connection already configured

0 additional answers