I need some help (or maybe a better angle of attack) connecting a few external users to our Azure tenancy.
NOTE: All resources mentioned below are in the same Azure Subscription, the same Azure Location and the same Azure Resource Group.
There's one virtual network with a Windows 2016 VM running. This v-net (call it MAIN-VNET) has a virtual gateway with a site-to-site VPN configured (call this S2S-VPN). This S2S VPN is configured as a policy-based IPSEC VPN so that the on-premise Billion 7800VDOX can connect – which it does without issue. But, because it's a policy-based configuration, I can't configure a point-to-site VPN in coexistence with this S2S. If it were route-based configuration however, P2S and S2S coexistence would work (and does – I tested it). But the on-premise Billion won't connect because it doesn't support IKEv2 (which is what route-based IPSEC VPN's use). So for now we're forced to use the policy-based config.
I have had to create a new v-net (P2S-VNET), then a new v-net gateway (P2S-VPN) and then configure the point-to-site VPN and client. I've done this and am able to connect to the VPN using the Azure VPN client successfully, but I can't access the Windows server on MAIN-VNET.
I can't create a "vnet-vnet" connection because one of the VPNs is policy-based and this is not supported by Azure.
I've tried creating a peer for both networks to each other (note that I have not ticked Allow forwarded traffic
, Allow gateway transit
, or Use remote gateways
for either), but still cannot access the server.
I've created inbound/outbound rules in the network security group attached to the Windows server that allows ALL ports between the the various subnets each v-net has and this has not helped either.
Does anyone have any suggestions on how I open traffic between the two v-nets? I need it so that any external users who connect through P2S-VPN can access the Windows server on MAIN-VNET. Users on-premise who connect to this Windows server via the Billion device and the S2S VPN have no issues connecting to the Windows server at the moment.
LAN ==> Billion ==> S2S-VPN ==> MAIN-VNET ==> Windows server [OK]
Remote user ==> P2S-VPN ==> P2S-VNET =/= MAIN-VNET ==> Windows server [NOT OK]
Best Answer
It seems like you met the requirements for VNET Peering. All you have to do is connect both VNETs and enable Gateway Transit.
Here's an overview:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview
And here's how to do it:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-create-vnetpeering-arm-portal
Just make sure to redownload the P2S client after reconfiguring VNET otherwise you won't have the new routes.