We have a VNET (let's call it VN_MAIN) that is configured to have a S2S VPN connection to our on-premise network. The VMs deployed within subnets of VN_MAIN are reachable from on-premise.
What I'm trying to do is to create another VNET (VN_OTHER) and make sure that you can reach on-premise from VN_OTHER and vice-versa, through VN_MAIN acting as a hub.
VN_MAIN has an address space of 10.123.128.0/20 (not created by me). I needed a /16 address space for my new VNET and wanted to avoid overlap, so I created VN_OTHER with address space 10.230.0.0/16.
Taking inspiration from the hub-spoke topology described here, I've created a peering on each VNET:
- On
VN_MAIN:main-to-other-peeringtoVN_OTHER, forwarded traffic allowed + gateway transit allowed - On
VN_OTHER:other-to-main-peeringtoVN_MAIN, forwarded traffic allowed + use remote gateways checked
Afterwards, to test this, I launched 2 linux machines: machine-1 on VN_MAIN (subnet 10.123.129.0/24) and machine-2on VN_OTHER (subnet 10.230.0.0/16 = the whole space).
According to my understanding of the article I linked, this should be enough for what I'm trying to accomplish. However, it doesn't work properly. Here are the pings I attempted:
machine-1tomachine-2: OKmachine-2tomachine-1: OKmy-laptoptomachine-1: OKmachine-1tomy-laptop: OKmy-laptoptomachine-2: NOT OKmachine-2tomy-laptop: NOT OK
So, the peering between the VNETs works, but the gateway transit does not, even though I believe I've done everything I was supposed to do to allow it. I am positive this is not an issue with any NSG rules.
Can anyone tell if there's something I am missing here please?
Best Answer
It sounds like your onprem Gateway doesn’t have a route to the 10.230.0.0/16 (VN_Other) vía the S2S VPN