Exercise: Troubleshoot site-to-site VPN gateway connectivity

  • 9 minutes

Important

You need your own Azure subscription to complete the exercises in this module. If you don't have an Azure subscription, you can still view the demonstration video at the bottom of this page.

As your organization's support engineer, you've been asked to help fix an issue between your resources in the US and northern Europe. you've existing infrastructure of virtual networks in two different regions. The VMs in the US virtual network (VNet1) are unable to get a ping response from the VMs in northern Europe (VNet2).

Checking the topology, you can see that there are VPN gateways and connections.

Diagram of the topology of the network that needs troubleshooting.

In this exercise, you'll troubleshoot and resolve the connectivity issue.

Important

You need your own Azure subscription to complete the exercises in this module. If you don't have an Azure subscription, you can still read along.

Test the connection

  1. We're going to test the connection between the two VMs, by sending a ping request between them.

  2. Open the Azure portal in a new tab.

  3. In the search bar, type virtual machines then, under Services, select Virtual machines.

    Screenshot showing the search bar and the results of searching for virtual machines.

  4. From the list of VMs, select virtualMachine1.

    Screenshot showing the two virtual machines.

  5. Make a note of the Public IP address and Private IP address.

    Screenshot of V M 1 showing networking the private and public IP addresses.

  6. Repeat the last two steps for virtualMachine2 and note the Public IP address and Private IP address.

  7. On the right, in the Cloud Shell, connect to virtualMachine1 with SSH to the public IP address:

    
ssh azureuser@<virtualMachine1 public IP address>;

    Note

    Replace <virtualMachine1 public IP address> with the public IP address you noted for virtualMachine1.

  8. At the prompt, Are you sure you want to continue connecting (yes/no)? type yes.

  9. Your prompt should change to azureuser@virtualMachine1:~$.

  10. This means you've successfully connected to virtualMachine1.

  11. Ping the private IP address of virtualMachine2.

    ping <private IP address virtualMachine2>

    Note

    Replace <private IP address> virtualMachine2 with the private IP address you noted for virtualMachine2.

    Screenshot showing the ping command to check whether machines can connect.

  12. We can confirm that the two machines can't connect, as there is no response from virtualMachine2.

  13. Press CTRL + C keys to quit the ping command.

Troubleshoot the gateways

You'll check the types are correct for both gateways.

  1. Go to the Azure portal.

  2. In the search bar, type virtual network gateways, and then select the service to continue.

    Screenshot showing the virtual gateway service.

  3. Select VNet1GW.

    Screenshot of the virtual gateways.

  4. Confirm that the VPN type is route-based, and the gateway type is VPN.

    Screenshot showing the Gateway and V P N Type.

  5. Scroll down the page to check the tunnel Ingress and Egress. Can you see a time when something might have happened to cause a problem?

    Screenshot of the Tunnel ingress and Egress stats.

  6. Repeat for VNet2GW.

Troubleshoot the virtual networks

You'll now check the address spaces don't overlap for the two virtual networks.

  1. In the search bar, type virtual networks, and then select the Virtual network service.

  2. Select VNet1.

    Screenshot showing the virtual networks.

  3. Make a note of the Address space.

    Screenshot showing the address spacer.

  4. Select VNet2, and check that the address spaces do not overlap.

    Screenshot showing the address space of V Net 2

  5. The two address spaces are different, so we can rule out any problems with them.

  6. You'll now check the subnets are correctly set up.

  7. Select VNet1, then select Subnets.

    Screenshot showing the subnet menu.

  8. Check the subnet address is a subset of the address space.

  9. Repeat for VNet2.

    Screenshot showing the Gateway subnet address.

  10. The GatewaySubnet addresses have been correctly created and correspond with the default range.

Check the gateway connections

  1. In the search bar, type virtual network gateway and then select virtual network gateways.

  2. The two gateways will be displayed.

  3. Select VNet1GW.

    Screenshot of the V Net 1 gateway.

  4. Select Connections.

    Screenshot of the Connections option.

  5. The issue seems to be with the connections between the gateways.

    Screenshot showing the two virtual networks not connected.

  6. Select Refresh to check that there is still an issue with connection.

    Screenshot of the refresh button.

  7. A connection still can't be made, so you'll check the shared keys.

  8. Select VNet1-VNet2.

  9. Select Shared key.

    Screenshot showing the Shared Key option.

  10. Make a note of the Shared key.

    Screenshot of the shared key.

  11. On the breadcrumb trail, select VNet1GW, then select VNet2-VNet1.

  12. Select Shared key.

    Screenshot of the second shared key showing it's different to the first shared key.

  13. The shared keys are not the same. For the connections to work, the shared key must be identical.

  14. Now that you've found the issue, you'll resolve it in the next exercise.

In this demonstration you will see how to proactively troubleshoot Conditional Access policies using the What if tool in the Azure portal: