I have a VNet with some VMs in Azure. The VNet has a site-to-site VPN connection back to my premises. From on-prem clients, I can successfully connect to the private IP addresses of the VMs. However, on-prem clients cannot connect to the public IP address of a VM. On the other hand, if I try to connect to a VM from different internet connection (3g on phone, or from home), then I can connect to the public address without problems. There are no network ACLs on network equipment on-prem that could be blocking this traffic (in fact a traceroute to the public IP address cuts out at a ntwk.msn.net address). Any thoughts on what the issue might be?
I installed Wireshark on one of the VMs, and when I try to connect to the external IP from on-prem, no packets reach the VM. So I'm guessing the routing on the VNet, the Public IP SNAT, or the VM's routing is at fault here.
As a test, I have spun up a new vnet on a seperate IP range, and a new VM with a public IP. Connecting to the public IP of this VM works fine. Something in the VPN/routing of the original VNET seems to be part of the problem, as without a VPN everything is fine.
I know this is an old post, but in case anyone else runs into this issue. I experienced this about the same time you posted, so things might have changed. After a long support call with Microsoft, it came out that Azure drops traffic coming from the internet (to your public IP) if the source address is included in the local site definition on your S2S VPN. This is a security measure--you have told Azure that traffic from the source address should arrive over the VPN, not from the internet.