Forum Widgets
Latest Discussions
Expressroute Coexistence P2S
Hi We have an IPVPN ExpressRoute connection back to our MPLS. We also have a central Internet breakout from our MPLS, its quite small, only 300mb. we don't want to increase the bandwidth on that circuit and at the moment it is getting a little over used by workers connecting to on-premise and Azure service via the client VPN they have. We want to look at the possibility of bringing up a P2S VPN in Azure that can also utilise the ExpressRoute for connectivity back down to the MPLS. We also have multiple VNGs setup that are linked to other Azure subs and a spare VNG that has a larger GatewaySubnet than the others (/27) Has anyone successfully brought up another VNG in the same GatewaySubnet asn an ExpressRoute VNG to allow P2S connections back either into the Azure environment or using the ExpressRoute back into an on-premise LAN (via the MPLS)? if you have, get in touch because I'd like to know how you managed it. I have looked at Virtual WAN, but that would entail bringing down the current ER which is a no no at the moment. thanks
Route-metrics in Azure P2S VPN
We have the following setup in our environment: Azure VPN Gateway S2S-VPN between gateway and our on-premise datacentre. P2S-VPN between gateway and clients. This P2S VPN is configured with AAD-authentication and the VPN profile is assigned to a client via Intune and XML-configuration. I have attached a stripped down version of our .xml with information that is not sensitive. (azurevpn.xml). It's in the zipped file. This setup is working overall fine, we add some routes to direct the traffic to the right place. We also have a management-VPN deployed that some of our employees use to get access to our network equipment and other administrative devices. This is a Cisco Anyconnect VPN. When connected to both this VPN-profile and the AzureVPN it let's them traverse both the management-net and the "customer"-net and let's them query DNS in both nets. The Anyconnect-VPN just as the AzureVPN has routes assigned to it, which when connected, one of the routes gets assigned a metric of 35. When then the P2S-VPN is connected it assigns the metric 311 on the same route. 311 seems to be the "default" metric on the routes specified in our .xml. This causes the issues in our case and we need to assign a metric lower then 35 to the P2S-route. Is there any way to assign a metric to a route that we push with the .xml? According to the Microsoft Docs here https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-profile-intune which links to this Docs https://docs.microsoft.com/en-us/windows/client-management/mdm/vpnv2-csp says you are able to do this. However if we try to add for example "<metric>25</metric> to the xml this gets ignored on the client. I have attached a section of the AzureVpnCxn.log which is stripped of sensitive information where this can be seen. Please advice
routing table
Hello, I have a virtual network with 192.168.0.0/24. In the virtual network is a firewall with 192.168.0.5. Now I want to route any outgoing traffic on the virtual network through the firewall. If I create a rule 0.0.0.0/0 to 192.168.0.5 - The internal devices can not reach each other. What is the best way to set the routing rules here? Greetings and thanks Stefan
VM with two NICs
Hi, I have a use case for Azure VMs to separate management and application traffic. So in effect, one NIC for management and another for application. The application VMs would reside on VNET-A and the management network would reside on VNet-B. My understanding is that Azure VMs can have multiple NICs but they need to belong to the same VNet. The rational behind this is most likely how the existing application is implemented in a traditional data center, however my understanding is that in public cloud there is no IP layer 2 functionality. Therefore I was wondering how we overcome such a requirement in respect to security?
Site to Site VPN failed for no reason, cannot re-establish connection.
Hi all, This is basically as simple as the title suggests. From last Friday, a site to site VPN connection ceased working for no visible reason. There have been no changes to Azure config, or local network. Using our local sonicwall, we can see traffic attempting the Ike negotiation, but then remote party timeout. Azure says that the VPN gateway is not publicly visible, but it is, from various places I have tested, only Azure is at fault. I have deleted and recreated the local gateway and connection within our Azure tenancy, and updated the preshared ike passwhrase locally, in essence to try to recreate the connection from scratch, but this is not working.VPN Gateway - Why is the Radius secret in plain text?
Hello, I'm curious as to why the Radius secret for the VPN Gateway in a point-to-site configuration is in plain text in the browser even after saving. Is this be design and if so, is it possible to reference an Azure Key Vault to pull the Radius secret?Please clarify for required certificates for P2S connection in Azure
Hi, For Point-to-Site connection in Azure, certificates of Windows are exported. Depending on Windows system, I have seen different situation in certmgr.msc as below 1st Windows system 2nd Windows system 3rd Windows system Please let me know Which certificates we need to export at certmgr.msc? If we need to export Personal certificate, what I need to do, if no certificates are showing or another certificates (like Adobe) are showing at Personal? Please clarify with additional required information. We’ll be thankful for your assistance. With Regards NndnGFront door with private link service
Has anyone successfully used frontdoor with private link service? I have a typical setup that a VM with only private interface running IIS. In the same subnet as the VM, I created an internal load balancer. In the Front Door (Premium), I created the site and the origin has the private link service enabled, and approved. However, I can't reach to the site through frontdoor no matter what, though I can hit the load balancer directly and show the page without issue. One question I have is, in the frontdoor origin --> Host Name, what do you use there? Is that the private IP of the load balancer or the frontdoor url or the custom url for the site? Can't seem to find a clear document that has some details on.Azure traffic to storage account
Hello, I’ve set up a storage account in Tenant A, located in the AUEast region, with public access. I also created a VM in Tenant B, in the same region (AUEast). I’m able to use IP whitelisting on the storage account in Tenant A to allow traffic only from the VM in Tenant B. However, in the App Insights logs, the traffic appears as 10.X.X.X, likely because the VM is in the same region. I'm unsure why the public IP isn't reflected in the logs. Moreover, I am not sure about this part https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security-limitations#:~:text=You%20can%27t%20use%20IP%20network%20rules%20to%20restrict%20access%20to%20clients%20in%20the%20same%20Azure%20region%20as%20the%20storage%20account.%20IP%20network%20rules%20have%20no%20effect%20on%20requests%20that%20originate%20from%20the%20same%20Azure%20region%20as%20the%20storage%20account.%20Use%20Virtual%20network%20rules%20to%20allow%20same%2Dregion%20requests. This seems contradictory, as IP whitelisting is working on the storage account. I assume the explanation above applies only when the client is hosted in the same tenant and region as the storage account, and not when the client is in a different tenant, even if it's in the same region. I’d appreciate it if someone could shed some light on this. Thanks, MohsenAzure VPN client vs OpenVPN network peering transit behaviour
Hello, We currently use an OpenVPN access server running on an Azure VM, connected to VNet B which is peered with VNet A and VNet C. VNets A, B and C are all peered with one another and are 10.x.x.x networks. When connected to OpenVPN client, which routes all 10.0.0.0/8 traffic to VNet B connections succeed to VMs on VNets A, B and C. I want to transition from OpenVPN to the Azure point-to-site VPN configured on VNet B, but in testing, I am unable to connect (transit) to VNets A or C via the Azure P-2-S client connection. I have added a custom route to the VPN Gateway on VNet B, advertising 10.0.0.0/8 - the same as the OpenVPN client, but unlike with OpenVPN which facilitates routing to VNets A and C, the Azure VPN client connection, only connects to VMs on VNet B. Why would my OpenVPN client route traffic via peerings from Vnet B to Vnets A and C but the Azure VPN client does not do the same and only connects (routes) to VNet B. Thanks in advance for any advice
