Azure VNET to VNET to site to site VPN connectivity

Question

Scenario.

We have a site 2 site VPN from ON PREM to Azure VNET (with a vnet gateway) in a specific rg. lets call the VNET with the VPN connection for: vnet-vpn

Then we have a VNET in another Resourcegroup in Azure (Same subscription as vnet-vpn) lets call it vnet-a

I need services in vnet-a to be able to call on prem systems by proxying thru the vnet-vpn and that way gaining access to the on-prem network.

I can:

• create a connection between the 2 vnets in Azure (vnet-vpn, vnet-a) by using peering.Tested by letting services from each vnet communicate directly.
• call on prem services from applications placed in the vnet-vpn.

I CANNOT:

• access on-prem systems from vnet-a.

I cannot find any documentation that explicitly describes this scenario and and to set it up. Can someone please help :-)

Answer 1

You can refer to this tutorial here which resembles the scenario you are trying out. You need to enable gateway transit on your peered VNET in order to establish connectivity with your on-prem systems.

Answer 2

More info on current config could be used to answer this, but here are a couple of ideas:

• Make sure Gateway Transit is enabled inside the peering configuration between vnet-vpn and vnet-a
• Make sure that vnet-a IP range is included in your Azure VPN and also OnPrem VPN configuration
  • Alternatively, NAT your vnet-a addresses into some range which is acceptable for your OnPrem VPN. Please be aware that NAT rules feature is only Preview on Azure Virtual Network Gateway. You either have to take the risk of using a preview feature (fine for non-production workloads), or implement your own NAT appliance.

Answer 3

Possible is too late, however if anyone came across this post with the same issue, this is a solution:

Scenario:

OnPrem<----S2S----->Az Vnet-A

You want direct access from OnPrem Site to another Azure VNET, let's call it Vnet-B using the existing setup between OnPrem an Vnet-A.

Solution:

• Create a vnet peering between the 2 VNETs, make sure that the gateway transit is enabled on Vnet-A side (the VNET that has the Gateway VPN configuration) --> you can use the article shared in the comments above
• the peering will ensure connectivity between Vnet-A and Vnet-B, however just doing this step will not allow connectivity from OnPrem to Vnet-B
• to have direct access from OnPrem to Vnet-B you also have to create UDR on both VNETs
• create a RouteTable-A and connect it to a Vnet-A subnet, create a route, this route will say: when the traffic leaves this subnet it will be redirect to Address Prefix [a subnet in Vnet-B], and the NextHop is None (dropped by default)
• create a RouteTable-B, connect it to a subnet in Vnet-B, create a route, this route will say: when the traffic leaves this subnet it will be redirect to the Address Prefix of the Vnet-A Gateway Subnet and the NextHop is Virtual Network Gateway

And that's all by creating a peering with Gateway Transit enabled on the Vnet that is connected the the Azure Gateway VPN, and creating the Routes with the settings I mentioned earlier you will have direct access from OnPrem to Vnet-B also.

Regards