We have a VNET (let's call it VN_MAIN
) that is configured to have a S2S VPN connection to our on-premise network. The VMs deployed within subnets of VN_MAIN
are reachable from on-premise.
What I'm trying to do is to create another VNET (VN_OTHER
) and make sure that you can reach on-premise from VN_OTHER
and vice-versa, through VN_MAIN
acting as a hub.
VN_MAIN
has an address space of 10.123.128.0/20
(not created by me). I needed a /16
address space for my new VNET and wanted to avoid overlap, so I created VN_OTHER
with address space 10.230.0.0/16
.
Taking inspiration from the hub-spoke topology described here, I've created a peering on each VNET:
- On
VN_MAIN
:main-to-other-peering
toVN_OTHER
, forwarded traffic allowed + gateway transit allowed - On
VN_OTHER
:other-to-main-peering
toVN_MAIN
, forwarded traffic allowed + use remote gateways checked
Afterwards, to test this, I launched 2 linux machines: machine-1
on VN_MAIN
(subnet 10.123.129.0/24
) and machine-2
on VN_OTHER
(subnet 10.230.0.0/16
= the whole space).
According to my understanding of the article I linked, this should be enough for what I'm trying to accomplish. However, it doesn't work properly. Here are the pings I attempted:
machine-1
tomachine-2
: OKmachine-2
tomachine-1
: OKmy-laptop
tomachine-1
: OKmachine-1
tomy-laptop
: OKmy-laptop
tomachine-2
: NOT OKmachine-2
tomy-laptop
: NOT OK
So, the peering between the VNETs works, but the gateway transit does not, even though I believe I've done everything I was supposed to do to allow it. I am positive this is not an issue with any NSG rules.
Can anyone tell if there's something I am missing here please?
Best Answer
It sounds like your onprem Gateway doesn’t have a route to the 10.230.0.0/16 (VN_Other) vía the S2S VPN