First, what I'm trying to accomplish. We have a central VNet in North Europe for corporate applications, databases, etc. However our on-premises locations are distributed globally. We'd like on-premises users to be able to connect via P2S through the nearest Azure region (i.e. J'burg, Singapore, Zurich, etc.) to reduce the length traveled over the Internet and get onto the Microsoft backbone as locally as possible. We prefer to use Basic VPN SKU due to the cost management of the number of regions involved globally. The cost of Standard VPN just to add BGP is ludicrous. So I'm looking for a way to achieve the same with static routing.
Since the North Europe can only have one gateway, we can't use the simple hub-spoke peering set up. It would only work for one regional location. So, we've set up S2S VNet-to-VNet connections between all the regions and the North Europe. We've set up P2S in each regional VNet gateway for users to connect locally. Once connected to a VM in Zurich, for example, users can ping/RDP as expected into the North Europe resources. However, they can't do the same from their local machines over the P2S connection.
As a single example, we'll focus on Local > Zurich > North Europe. In the Zurich VNet, we've got a small Windows VM with IP forwarding enabled (on the nic and Windows firewall). We've played with UDRs, but nothing seems to let the P2S traverse the gateway to the S2S to be able to reach the North Europe resources.
North Europe (10.3.0.0/16)
- NSG: default rules only
- S2S: NEurope VNet-to-VNet to Zurich (Connected)
- Gateway Subnet: 10.3.3.0/24
- Windows VM 10.3.0.4
- ICMP enabled
- IP forwarding enabled on NIC and VM
Zurich (10.10.0.0/16)
NSG: default rules only
S2S: Zurich VNet-to-VNet to NEurope (Connected)
P2S: Address pool 172.16.10.0/24
routes.txt:
ADD 10.10.0.0 MASK 255.255.0.0 default METRIC default IF default ADD 10.3.0.0 MASK 255.255.0.0 default METRIC default IF default ADD 172.16.10.0 MASK 255.255.255.0 default METRIC default IF default
Gateway Subnet: 10.10.3.0/24
Windows VM 10.10.5.4
- ICMP enabled
- IP forwarding enabled on NIC and VM
On-Premises (192.168.0.0/16)
P2S: Connected to Zurich
- Can ping and RDP to Zurich VM 10.10.5.4
- Can not ping or RDP to N Europe VM 10.3.0.4
P2S: Connected to N Europe
- Can ping and RDP to to N Europe VM 10.3.0.4
So, the only functionality I'm missing is that I want the On-Premises machine to be able to ping and RDP to N Europe VM with an active P2S connection to Zurich. I've played around with route tables, tried using the Zurich VM as a simple NVA to forward IP traffic. For the life of me, I can't find a solution that will enable our Zurich P2S connections to reach the N Europe VNet.
Any guidance is greatly appreciated. I think I've broken Google. :)