question

anilkumar-3187 avatar image
0 Votes"
anilkumar-3187 asked VBarnwal answered

Unable to connect to Azure VM using Private IP Address after setting up Point to Site VPN

Hello,

For learning purpose, I created a Virtual Network Gateway and the configured Point to Site VPN connection. Setup the VPN connection on Azure VM, I am able a access a website and RDP another VM using it's public IP address successfully even though source VM and destination VM were in different VNets and there was no peering between them. I concluded VPN is working as expected.

Then I tried RDP Azure VM using it's private IP address and it didn't work. I remember last time, i was able to connect to Azure VM using it's Private IP address after configuring Bastion on it.

Pls help me with:

  1. Not sure if I can connect a VM using private IP when from a Bastion host or there are some other use cases also?

  2. How come VPN doesn't allow me to connect VM using private IP as Azure internally would have been using private IP as public IP might get changed for a resource.

  3. Is there a way to connect to Azure VM using private IP from my laptop provided there is no VPN set up and AD is not federated.


Appreciate your insightful response, thank you !!

azure-virtual-machinesazure-virtual-networkazure-vpn-gatewayazure-bastion
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GitaraniSharmaMSFT-4262 avatar image
0 Votes"
GitaraniSharmaMSFT-4262 answered anilkumar-3187 commented

Hello @anilkumar-3187 ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

1) Azure Bastion is a service that lets you connect to a virtual machine using your browser and the Azure portal. Azure Bastion opens the RDP/SSH connection to your Azure virtual machine using private IP on your VM. You don't need a public IP on your virtual machine.
Reference : https://docs.microsoft.com/en-us/azure/bastion/bastion-overview
https://docs.microsoft.com/en-us/azure/bastion/tutorial-create-host-portal

2) P2S VPN should allow you to connect to a VM using it's private IP. May I know where the VPN client is installed? Are you accessing Azure VM from your local laptop via Azure VPN client?
From your intial statement : "Setup the VPN connection on Azure VM, I am able a access a website and RDP another VM using it's public IP address successfully even though source VM and destination VM were in different VNets and there was no peering between them." - I understand that your P2S VPN setup is completely on Azure. Is that correct? You have 2 Vnets. You are using one Vnet as Azure and other Vnet as on-prem and have installed P2S VPN on the other Vnet's VM.
Do you have any overlapping address spaces between Azure and your on-prem setup? Is the P2S VPN address pool setup correctly and not overlapping? You can also try resetting the Azure VPN gateway once and check again.
References : https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal#addresspool
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-troubleshoot-vpn-point-to-site-connection-problems#the-point-to-site-vpn-connection-is-established-but-you-still-cannot-connect-to-azure-resources

3) The only way to connect to Azure VM using private IP from your laptop (provided there is no VPN set up and AD is not federated) would be via Bastion host.

Kindly let us know if the above helps or you need further assistance on this issue.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you @GitaraniSharmaMSFT-4262 for your valuable response.

Please find my response below to your questions on 2nd point. I got my answers for 1st and 3rd points.

"P2S VPN should allow you to connect to a VM using it's private IP. May I know where the VPN client is installed? Are you accessing Azure VM from your local laptop via Azure VPN client?" - I had installed VPN client on Azure VM. I was accessing Azure VM from my laptop but I was connected to my company VPN, not Azure VPN.

" I understand that your P2S VPN setup is completely on Azure. Is that correct? You have 2 Vnets. You are using one Vnet as Azure and other Vnet as on-prem and have installed P2S VPN on the other Vnet's VM." - Correct, my complete VPN set up is in Azure. Your understanding is absolutely correct.

"Do you have any overlapping address spaces between Azure and your on-prem setup? Is the P2S VPN address pool setup correctly and not overlapping? You can also try resetting the Azure VPN gateway once and check again." - As you rightly understood, my VPN set up doesn't have on Promise setup - it resides in Azure only. There seems to be some overlapping in network addresses of Vnet hosting gateway and VNet hosting Azure VM. I have understood the concept, will mark your response as answer

Thank you again for your valuable help !!


0 Votes 0 ·

Hello @anilkumar-3187 ,

Thank you for the update.

As you mentioned there seems to be some overlapping in network addresses, we now know the cause of the issue.
When your address space overlaps, the network traffic doesn't reach Azure, it stays on the local network(in your case the Vnet which acts as on-prem setup).
Reference : https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#how-do-i-troubleshoot-an-rdp-connection-to-a-vm
You need to remove the overlapping address spaces in the connected Vnets to resolve the issue.

Kindly let us know if the above helps or you need further assistance on this issue.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

0 Votes 0 ·
anilkumar-3187 avatar image anilkumar-3187 GitaraniSharmaMSFT-4262 ·

Thank you for taking time to help - Accepted your response as answer !!

1 Vote 1 ·
JagadeeskumarLenin-8623 avatar image
0 Votes"
JagadeeskumarLenin-8623 answered GitaraniSharmaMSFT-4262 commented

Hello team ,

                Now explain my scenario , I create site to site vpn (On-prem to azure environment) the connection status is success .But private pinging is  not working  i got the "request timeout" .May I  what is an reson for that. 
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @JagadeeskumarLenin-8623 ,

Since your site to site VPN show connected, did you try to access your Azure VM in another way such as RDP or telnet or try a TCP ping such as psping?
It could be that ICMP is blocked and you are unable to do a normal ping. Please check the OS firewall on the Azure VM and also check if ICMP is allowed on your on-prem firewall.

Regards,
Gita

0 Votes 0 ·
VBarnwal avatar image
0 Votes"
VBarnwal answered

After turning off windows firewall from server manager dashboard it may work.
By default it was on so unable to do RDP session using pvt ip, so after turning off it works.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.