Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,517 questions
Problem with VPN site-to-site, app container in a subnet in a vnet peering
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 43%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EME%3C/text%3E%3C/svg%3E)
Mario E. Esteves Mariño
0
Reputation points
I have a small problem with the VPN tunnel that was configured with the Virtual Network Gateway resource.
I have 3 resource groups, the GLOBAL resource group is where the Virtual Network Gateway is hosted and it is linked to the 2 resource groups RG-A and RG-B in Hub-Spoke mode.
The tunnel allows me to connect from my on-premise site and I access the elements in the RG-GLOBAL and the resource groups RG-A and RG-B that are within the DEFAULT subnet.
I created a VM in each resource group to confirm connectivity in each subnet, but note that I only access the resources if they are within the default subnet. If they belong to another subnet, the resource becomes inaccessible.
For example, my App Containers are in the infrastructure subnet. And I cannot access them from my on-premise site; but if I put them in the default subnet, access is possible.
What do I need to configure so that, without changing the subnet, the resources are accessible from my on-premise site?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
ChaitanyaNaykodi-MSFT 25,856 Reputation points Microsoft Employee2024-09-19T21:49:20.4533333+00:00 Based on your question above as only the default subnet on hub and spoke Vnets is reachable from on-prem.
- Confirm if there is route table associated with the default subnet and if you need to associate the route table with other subnets. You can go through this VPN gateway transit for virtual network peering guide to check if there was any missed configuration.
- Confirm if any NSG is blocking the connectivity. To test this you can deploy a test VM in the infrastructure subnet and use IP flow verify to check if any NSG is blocking the connectivity.
- Further to help isolate the issue you can simultaneously perform a Packet Capture on the VPN Gateway and the on-prem router to check if you observe any packets from the other subnets.
Thanks
Sign in to comment
Sign in to answer