Azure Network Watcher | Connection troubleshoot -- NoRouteLearned - azure-virtual-network

Not able to RDP to the azure vm from vm located in another vnet.
Vnet to vnet has site to site vpn connection and when i perform Network Watcher | Connection troubleshoot i can see that traffic is reaching from source vm ---> AzureFW-->-Source VPN GW---> Destination VPN GW---- then it point to destination vm ip as next hop and getting error message as listed below
Next hop IP address
RTT from source (ms)
Issue
{"origin":"Local","severity":"Warning","type":"NoRouteLearned","context":[]}
Checked NSG diag , IP Flow, Next hop and confirmed that it is working fine

If I understand correctly, you are facing the issue above with Connection Troubleshooting feature of Azure Network Watcher and you have confirmed via NSG diag , IP Flow that you have set-up the connectivity correctly.
This is a known issue about the Connection Troubleshooting feature of Azure Network Watcher and the team is currently working on fixing this issue. You can use Connection Monitor instead to test this connectivity. Hope this helps!

Related

Azure Synapse Private Endpoints TrustFailure SSL/TLS secure channel

I am trying to connect from a client in vnet A to a Synapse Workspace and storage account in vnet b using private endpoints.
All traffic between the two vnets is routed via a third party firewall.
The firewall allows all traffic:
If I try to open Synapse Studio I receive an error 'Failed to load'. When I run the the Powershell Script provided by Microsoft to test the connection, I receive a TrustFailure on the 'dev' and 'sqlondemand' private endpoints:
Does someone know what causes this problem and how I can fix it?
I tried:
Allowing any applications on the firewall rules
Allowing Azure services and resources to access workspace on network settings of Synapse Workspace
tweaking network settings of the workspace instance
Thank you GregGalloway for your guidance in the comments; the DNS records were wrongly configured. The 'dev' FQDN resolved to the 'sqlondemand' private ip and vice versa. After correcting this, the errors disappeared.

Azure VM Disconnects after changing DNS

I have an public Azure VM instance running Windows 10 . I changed the DNS to Google DNS and I loose RDP connection. Why?
While changing the DNS servers, please follow below steps:
Changing the DNS servers to Google DNS servers can be done via Azure portal or PowerShell.
From Azure Portal, Navigate to your VNET, click on DNS servers and enter the DNS server IPs.
After doing changes to DNS, Virtual Machine need a reboot. Make sure to reboot the VM.
This change can be done on the NIC of Virtual Machine not on the OS level.
Resize the Virtual Machine, if reboot doesn't restore connectivity. This should return the RDP and the DNS entry you defined.
Try redeploying the Virtual machine.
Otherwise, Try resetting the Remote Desktop configuration.
Try Checking the Network Security Group rules.
Try Resetting the NIC for the VM.
To know more in detail, please refer below links:
Lost connectivity to Azure VM after changing DNS to automatically obtain DNS - Microsoft Q&A.
Cannot connect with RDP to a Windows VM in Azure - Virtual Machines | Microsoft Docs
VM getting disconnected after changing preferred DNS IP (microsoft.com).
Change VM DNS Servers - Microsoft Q&A.

No access to Azure Storage Account which has virtual network only access, despite a succesful Point2site connection to that virtual network

I want to restrict access to my Azure storage account to selected networks only (please see image).
Current network restriction setting
My current set up is as follows:
I have an Azure Storage account, with blob containers and tables.
Only selected networks can access this storage account (please see the first image above). I've selected the gateway subnet (I've tried to add other subnets within the same virtual network, to no avail).
I have selected a virtual network call. All service endpoints for this network are set up correctly ('storage-service endpoint' is 'succesful'). The subnet involved is gateway subnet.
I also have a virtual gateway which is placed inside this virtual network. With (of course) the gateway subnet assigned to it.
Subnet endpoint permission
I have a point2site VPN connection (using Azure VPN client) to connect to this virtual network from my local machine (see image below).
This connection has been set up as well, using Active Directory as authentication method. All seems correctly working.
The virtual gateway to which the VPN connects, can see the active connection (see image below)
Obviously, I'm doing something wrong, so any help is very much welcome!
Regards,R.
VPN connection details
I have a point2site connection to the virtual network that is granted access to this storage account (see images below).
The point2site connection looks good (see image below), but I still can't access the storage account.
Current connection in azure VPN client
Current view of active connection to Virtual Gateway that connects to this Vnet.
Any help is much appreciated!
I tried to reproduce your scenario that can be possible with setting the private end point in storage account and azure VPN client.
you need to create and configure a Private End Point under the subnet you have the storage account exists.
Go to 'Private Endpoint Connection' under settings of storage account in azure portal as below:
Connected with Vnet using Azure VPN client .
Now you can map network drive on this pc using this format
\\Private IP Address or FDQN \Filesharename
For me there is one blockage.it error: Unable to reach the Azure storage account via port 445. I can’t add port 445 in my system if you have port number 445 you can be able to access the file share if not add port 445 so the SMB traffic over this port.
Note: Disable the firewall/ anti-virus temporarily installed on your computer.
Reference: https://learn.microsoft.com/en-us/azure/storage/files/storage-troubleshoot-windows-file-connection-problems

How do I make VPN connection working from Azure VM?

I have created Virtual Network Connection.
I have created Connection for Site to Site(IPSec) which connects to VMWare-snx
Connection status is "Connecting". (Also connection from VMWare SNX side)
I have VM in subnet. VNet is same as with Gateway Subnet.
I try to ping or RDP to VM in VMWare side, but do not have connection.
Did I understand correctly that I should have automatically connection from all subnet in VNet.
No routing is needed between Gateway Subnet and others?
Is there any way to troubleshoot if ping passed Azure VPN?
https://vzerotohero.com/2017/03/step-by-step-deploy-vmware-nsx-with-microsoft-azure-ipsec-vpn-site-to-site/
If the VPN connection is set up well, the Connection status should be "connected". Please follow the step by step in the article, especially the note things:
NSX VPN as of now only supports Policy-Based VPN type.
PFS: Disable Perfect Forward Secrecy since its not supported with Azure Static-Policy based VPN.

Activating a VPN on Google Cloud Compute VM is terminating my connection

I have spun up a Google Cloud Compute virtual machine. It's a vanilla Windows Server 2016 image, and I can log in and see the desktop. I do that by downloading the RDP file and running it.
Due to a license manager for software I'm installing, I need to VPN to my own network. In "Settings -> Network", I add a new VPN connection (using the same creds I use on my machine) and click Connect. It makes an initial connection, verifies my credentials, but during the final stage, my RDP connection to the GCP VM ends.
What is really strange is that, sometimes, I can reconnect successfully after a few minutes and the VPN connection was successful. Sometimes I can't reconnect.
Any ideas?
The VPN connection added as such will be a force tunneled VPN which then adds a default route over the VPN interface on the VM disrupting your connection. The easiest way for maintaining the connection would be to do either of 2 things
Make the VPN split tunneled and add a route for the licensing box. You can do this by using the Set-VPNConnection Powershell commandlet and then adding a route using the route add command in an administrative command prompt
Add a more specific route for the IP Address by which u access the VM using the route add command
UPDATE: Simply setting the VPN to use split tunneling in PowerShell solved the problem.
Use: (Replace "VPNsName" with your VPNs Name)
Set-VpnConnection -Name "VPNsName" -SplitTunneling 1