Can't reach Vnet using VPN gateway while peering is on - azure

Hello ,
I have 2 Vnets, a Vnet containing Vms (Private Vnet)
a Vnet containing an Aks Cluster (Private but the pod I want to use is public (exposed using LB))
to Connect to Vnet1 from my local I'm using a Vpn Gateway but when I added I Network peering betweeen Vnet1 & Vnet2 , Suddenly I can't reach my private vms even when im connected to the vpn
although the peering between Vnet1 & vnet2 Is working just fine
I can reach my private vms from aks pods
here is my vnets/subnets
GatewaySubnet 172.17.1.0/24
default 172.17.0.0/24
my vpn config :
point to site
Address pool 10.0.0.0/16
Tunnel type IKEv2 and OpenVPN(SSL)
Active-active mode : disabled
Gateway Private IPs : disabled
VPN type : Route Based
and here is my peering configuration :
I don't know what is causing this
I hope somebody can guide me to the right direction

the "aks" vnet has an address space of "10.0.0.0/8" that overlaps with the VPN's Point to Site VPN client address pool.
Changing the adress pool of your p2s config will solve your problem

Related

Azure AKS vnet to another vnet communication

We have managed AKS Cluster and it has a few applications PODS. In the same subscription, we have a few servers in the different Resource Group and different VNET. We have a requirement to happen a communication between these two VNET's. I have configured vnet peering between two VNET's but we can see that the communication is not happening.
When I add a rule like "Allow port 443 from all networks" on to the NSG of Virtual machines then everything works fine.
Troubleshooting steps are done.
VNET Peering
Got an API Server IP Address from the "kubeconfig" file and added in the NSG of VM's in a diff RG.
But did not resolve an issue. Could you please help me to fix the issue.
AKS Resources are behind the Internal Load Balancer, so peering did not help. I had to use the Public IP Address provisioned during the AKS Creation process in the NSG. After adding PIP(Available in MC_rg-*** resource group) everything started working.
I would suggest to try connecting the VNET's through VPN gateways .
From an Azure virtual network, connecting to another virtual network is essentially the same as connecting to an on premises network via site-to-site (S2S) VPN.
You will need to go through the below listed steps :
Create VNetA and VNetB and the Corresponding Local Networks.
Create the Dynamic Routing VPN Gateways for each virtual network.
Connect the VPN Gateways.
Please find the referred document for implementing the same solution I have mentioned above .
For more information on difference of vnet peering and vnet gateway you can refer this document.

Private endpoint with virtual network gateway

I want to make a Postgres DB available on-premise using a VPN / Virtual Network Gateway. I've created the Virtual Network Gateway with GatewaySubnet, the Local Network Gateway and the VPN Connection.
Now I want to create a private endpoint in the GatewaySubnet but I am getting the following errors:
Portal: "The selected subnet GatewaySubnet is restricted and cannot be used with a private endpoint"
or
ARM: "Subnet with name 'GatewaySubnet' can be used only for the Gateway resource."
Am I missing something? I thought the GatewaySubnet is exactly the Subnet that will be made accessible over the VPN?
The GatewaySubnet is a special subnet that contains the IP addresses that the virtual network gateway services use. Never deploy anything else (for example, additional VMs) to the gateway subnet. You can only leave it empty without any other resources deployed to this subnet.
When you deploy a VPN gateway in one Azure virtual network. With site-to-site VPN connection, all subnets in that VPN VNet could access the on-premise network because by default resources in all subnets in the same virtual network could communicate with each other. So you can deploy another subnet in the same VPN VNet used for your private endpoint.
See the diagram for using cases of Private Link for Azure Database for PostgreSQL

Question concerning forward traffic on Azure Virtual Networks

I have a routing problem which I am struggling to solve in the Azure cloud platform concerning traffic that needs to be routed from one vnet to another vnet via another vnet and two VPN tunnels.
Here is a description of the set-up:
I do have two Azure Virtual Networks (VNET1 and VNET2) that each one has its own route-based Azure VPN Gateway and one 3rd party virtual network (VNET3) which is connected to the first Azure virtual network VNTE1 via an IPsec VPN tunnel. Below are the address spaces of all 3 virtual networks.
VNET1 10.20.0.0/16 (Azure vnet)
VNET2 10.30.0.0/16 (Azure vnet)
VNET3 10.0.0.0/12 (3rd party vnet)
Here is what I can do:
The VNET1 is connected via an IPsec VPN tunnel with the VNET3. Thus I am able to ping from a VM in the VNET1 10.20.10.5 a VM in the VNET3 10.0.0.1 and they can ping me back.
The VNET1 is connected via an IPsec VPN tunnel with VNET2. Thus, I am able to ping from a VM in the VNET1 10.20.10.5 a VM in the VNET2 10.30.10.5
Here what i cannot do:
I cannot ping from a VM in the VNET2 10.30.10.5 the VM in VNET3 10.0.0.1.
Here is what I tried to do to solve the problem without any success so far:
My assumption is that the network VNET2 does not know how to route the traffic to the network VNET3. Thus, I created an Azure Route table and I assigned the route table to the subnet 10.30.10.0/24 and I created the rule that all the traffic to the network 10.0.0.0/12 should be routed to the VPN GateWay of the VNTE2. My expectation is that once the traffic will go to the GW it will reach the VNET1 which knows how to route it to the VNET3. This didn't work.
Although I think is not needed since VNET1 already knows how to route the traffic to the VNET3 I have also created a routing table for 10.0.0.0/12 similar to the one above. This didn't help either.
Am I missing a route somewhere, If so which rule and where? Or do I even need to have a VM acting as a router? (I hope not)
I think your issue is the limitation of Azure Virtual Gateway:
The on-premises networks connecting through policy-based VPN devices with this mechanism can only connect to the Azure virtual network; they cannot transit to other on-premises networks or virtual networks via the same Azure VPN gateway.
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps
So, even if you use the same VPN Gateway to connect with VNET 3 and VNET 2, by design VNET 3 and VNET 2 cannot communicate.
To resolve this issue, I recommend to use peering. Your configuration is similar to classic Hub-Spoke topology. Your VNET1 is Hub, VNET2 is Spoke, VNET3 is kind of "on-prem".
No changes needed to configuration between VNET1 and VNET3. You need to establish peering between VNET1 and VNET2 and backwards and apply following configuration:
Configure the peering connection in the hub to allow gateway transit.
Configure the peering connection in each spoke to use remote gateways.
Configure all peering connections to allow forwarded traffic.
https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke
In this case, VNET3 will be able to communicate with HUB (VNET1) and all spokes (VNET2 and any others connected to VNET1). VNET2 can communication with HUB (VNET1) and on-prem (VNET3) when the tunnel is up.
Warning: Spokes are not able to communicate between each other without a forwarding gateway in HUB, i.e. if you add VNET4 with peering to and from VNET1, VNET4 will not able to ping VMs in VNET2. But they could communicate with HUB and on-prem without any additional appliances.

Virtual network peering connection azure

I have the following three virtual networks: - VNETa - VNETb - VNETc All the network traffic between the three virtual networks will be routed through VNET1a.
need to create the virtual networks, and then to ensure that all the Azure virtual machines can connect to other virtual machines by using their private IP address.
The solutions must NOT require any virtual gateways and must minimize the number of peerings. What should you do from the Azure portal before you configuring IP routing?
You could make peering between VNETa and VNETb, peering between VNETa and VNETc. Without a virtual network gateway and without a separate peering connection between those spokes VNETb and VNETc, to make the spoke connectivity, you need to deploy a virtual appliance as the hub in the network VNETa, then make two UDRs in each spoke VNets VNETb and VNETc to route traffic from one spoke network to another spoke network via NVA. In this scenario, you must configure the peering connections to allow forwarded traffic. see the explanation link.
For more details of UDR configuration, you could refer to this blog about Azure Networking - Hub-Spoke with NVA and Azure Firewall
The key to answering this question is to understand that the question is indicating that an IP routing solution will be configured after you have provisioned the necessary resources and configured appropriately: "...before you configure IP routing".
You do not need a gateway subnet or virtual gateways to implement a hub and spoke topology assuming that you are going to provision, for example, a VM with IP Forwarding enabled on the vNIC to act as a router.
Create your 3 subnets, in your example VNETa, VNETb and VNETc
From VNETa, create a peering with VNETb using the Resource Manager Deployment Model
Ensure "Allow forwarded traffic from VNETa to VNETb" is enabled
Repeat steps 2 & 3, substituting VNETb for VNETc
And that's it. Now when you configure IP routing you will provision a router VM or some other Network Virtual Appliance (NVA) in the hub network and create a Route Table for later application to VNETb and VNETc specifying the router VM's internal IP as the next hop.
Jamie.

Accessing resources from connected Azure VNETS via VPN

I have two virtual networks that each have their own virtual network gateway (VNET1 and VNET2). I have connected them with VNET to VNET connections. All resources in each VNET can see each other via PING as well as RDP so I know the VNET to VNET connection is working properly.
I also have a Point to Site configuration setup on VNET1 which allows me to VPN from my onsite premise. When I start up the VPN connection, I can see everything in VNET1, but I cannot see anything in the other VNET (VNET2).
Shouldn't I be able to see resources from both VNETs regardless of which VNET I've established my VPN connection with since they are connected to each other?
For your issue, you can use connect VNET1 to on-premise with VPN, and connect VNET1 to VNET2 with peering, but if you want to connet VNET2 from on-premise through VPN, you have to set up gateway transit in both VNET.
You can finish you work following the document Configure VPN gateway transit for virtual network peering and you will get what you want.

Resources