Mar 06 2020 11:10 AM
Mar 06 2020 11:10 AM
Hello I have a VNET with a site to site VPN to my main office and I have a Second VNET with a site to site VPN to my second office. I need the second office to communicate with VM in the first VNET and I have setup VNET Peering but I can ping the VMs in the first VNET from the my second office.
VNET1 --------------VNET Peering--------------VNET2
Site to Site VPN(Main office) Site to Site VPN( Second office)
Mar 08 2020 01:08 AM - edited Mar 08 2020 01:10 AM
I'm afraid the setup you have cannot work. When you peer two VNets, you can configure gateway transit on one of them (to utilize the second VNet's VPN gateway), but that first VNet cannot host its own gateway. More details can be found here.
You can redesign your network to use 'Hub-and-Spoke' model (have one Hub VNet with VPN gateway), where you:
Another option (more advanced but also more expensive) is Azure Virtual WAN, where you could even achieve connectivity between your remote offices and VNets in a mesh-like topology, effectively using Azure backbone network as your transit network (WAN).
Mar 08 2020 06:44 AM
@David Pazdera Thanks for the reply David.
The problem I was trying to solve with the VNET Peering is that, I have two locations "office1" and "office2" which are connect via site to site vpn, I have a site to site vpn going from office1 to the azure VNET. On the Azure VNET I have VM servers and I need "office2" to be able to communicate with these servers. The problem is due to the limitation of the on prem networking equipment which can only use IKE1 I can only have 1 site to site going to the azure VNET. Is there any way to have office2 communicate with the Azure VNET?
Site to Site VPN(Main office) <------------------- > Site to Site VPN( Second office)
Mar 08 2020 08:32 AM
I see @Berkata14
Since your two sites are connected together over VPN, and your primary site has a S2S VPN connection established with your VNet, the problem could be in a few places:
That's probably all potential problem areas I could think of.
Mar 08 2020 01:41 PM - edited Mar 08 2020 01:42 PM
Yes the IP range for the second office is included in the local gateway
The VM are in the Same VNet where the VPN Gateway is.
Cant reach the VM through TRACERT, Correct its policy based static IKE1. Thats why I cant create a second site to site from office 2 to Azure.
Yes I can reach the VMs from the main office and the the local Gateway does have the IP range for the second office.
Any other suggestions?
Mar 08 2020 05:46 PM
1. No Overlap in IP ranges
2.The Local Gateway resource has the IP ranges for both offices
3. The VM's are in the same VNet the VPN Gateway is in.
4.TRACERT from the second office does not reach the azure VM's
5. I can reach the Azure VM's from the main office.
Any other ideas?
Mar 09 2020 12:21 AM - edited Mar 09 2020 12:22 AM
It seems you have configured everything correctly on the Azure side. I assume you also checked your NSGs and any on-premises firewall "in the way", if they are not blocking the traffic.
How did you configure routing in your Second office? Have you added the Azure range as a static route with your Main office VPN GW as the next hop? In other words, from your TRACERT (Second office --> Azure), are you reaching your VPN device in the Main office or where does the traffic end?
You could check effective routes on your Azure VM to see, how it handles any calls from/to your Second office IP range.
Apart from that, I'm running out of ideas, but I suspect it is a routing problem inside your on-premises network.
Mar 09 2020 02:16 AM
I would agree with @David Pazdera, apparently the issue is most probably related to a routing configuration on your on-premises network.
My advise to you is to double check the configuration and re-run your tests.