Are point to site VPN clients supposed to support peered VNETs? - azure-virtual-network

I have P2S SSTP connection to VNET1. VNET1 is peered to VNET2. VPN client does not add address space of VNET2 and hence routing from P2S client never works to VNET2. Are SSTP VPN clients supposed to be adding routes for all peered VNETs to installation file?

Yes, the VPN clients will get routes to the direct-peered VNets in the VPN client downloaded file. In this case, you need to configure Hub-spoke network topology in Azure.
To allow gateway traffic to flow from spoke to hub, and connect to remote networks, you must:
Configure the peering connection in the hub(have gateway subnet VNet1) to allow gateway transit.
Configure the peering connection in each spoke(no gateway subnet VNet2) to use remote gateways.
You could get more information from the step by step to work with P2S VPN in a similar scenario.

Related

How do I make VPN connection working from Azure VM?

I have created Virtual Network Connection.
I have created Connection for Site to Site(IPSec) which connects to VMWare-snx
Connection status is "Connecting". (Also connection from VMWare SNX side)
I have VM in subnet. VNet is same as with Gateway Subnet.
I try to ping or RDP to VM in VMWare side, but do not have connection.
Did I understand correctly that I should have automatically connection from all subnet in VNet.
No routing is needed between Gateway Subnet and others?
Is there any way to troubleshoot if ping passed Azure VPN?
https://vzerotohero.com/2017/03/step-by-step-deploy-vmware-nsx-with-microsoft-azure-ipsec-vpn-site-to-site/
If the VPN connection is set up well, the Connection status should be "connected". Please follow the step by step in the article, especially the note things:
NSX VPN as of now only supports Policy-Based VPN type.
PFS: Disable Perfect Forward Secrecy since its not supported with Azure Static-Policy based VPN.

Site-2-Site between 2 Azure VNETs

Configuring a VNet-to-VNet connection is the preferred option to easily connect VNets if you need a secure tunnel using IPsec/IKE. In this case the documentation says that traffic between VNets is routed through the Microsoft backbone infrastructure.
According to the documentation, a Site-to-Site connection is also possible:
If you are working with a complicated network configuration, you may prefer to connect your VNets using the Site-to-Site steps, instead the VNet-to-VNet steps. When you use the Site-to-Site steps, you create and configure the local network gateways manually.
In this case we have control over the configuration of the virtual local network address space, but we need expose public IPs. Documentation donĀ“t says nothing about where the traffic goes (azure internal or public internet)
My question is, in this scenario, S2S between VNets, the traffic is routed through azure infrastructure as in the case of VNet-to-VNet or the comunication is done through public internet?
edit
The traffic in an S2S between VNets is routed through Microsoft backbone network. See this doc.
Microsoft Azure offers the richest portfolio of services and
capabilities, allowing customers to quickly and easily build, expand,
and meet networking requirements anywhere. Our family of connectivity
services span virtual network peering between regions, hybrid, and
in-cloud point-to-site and site-to-site architectures as well as
global IP transit scenarios.

Add Peering Does Not Detect Gateway Subnet

Repro
1. Via Azure Portal Add Vnet
2. Go Back into VNet just created and add Gateway Subnet.
3. From within same VNet try to add Peering, select peer Vnet and check "Allow gateway transit" checkbox.
Results - "Neither vnet-xxx nor vnet-yyy has a gateway configured. The gateway transit setting requires there to be a gateway in one virtual network in the peering. Please unselect the gateway transit setting to continue, or navigate to one of the virtual networks and add a gateway."
I have many other VNets and peering setup in the same manner and they all work. Going into the vnet peering configuration I can see the same error message however the checkbox is checked and it works.
The UI for adding a peering appears to have changed since I have added a Vnet and peering as I have never seen this error message prior using the old configuration UI for a peering.
FWIW I am trying to create a Vnet to be used by an app service that will peer to a Vnet that I have my managed SQL connected.
As the error message indicates that you have to have a gateway configured in one of the peering VNets when enabling the gateway transit. Only adding Gateway Subnet is not the process, you have to deploy a VPN gateway in the VNet in this case.
If you want to use VNet integration(add VNet preview), No gateway is required to use it and web app and VNet must be in the same region. But it seems that you do not use gateway transit due to lack of gateway configured in this case. Document just states this,
If you are using peering with the regional VNet Integration, you do
not need to do any additional configuration.
It indicates that only existing VNet supports gateway transit currently. Not sure new VNet integration will support this feature in the future since it's still in preview. Additionally, you can get more details from another question about existing VNet integration and VNet peering I answered.

Access Azure SQL Database when connected to VNET via Client Gateway

I have an Azure Virtual network and I connect to the network using Point-to-point with the VPN client downloaded from Azure. This works as expected as I can now RDP to VMs in the VNet if required.
I also have an Azure SQL Server instance and in the firewall section I have added the VNet above to the Virtual networks rule list.
With my work laptop, I was now hoping that I would be able to connect to the VNet using the VPN client and then be able to access the SQL database using SSMS. However, when I try and connect I get a message telling me that I cannot access the server and instead need to add my client IP to the Firewall rule list, which is what I was trying to avoid doing.
Is there something else I need to be doing here to get this working?
Is there something else I need to be doing here to get this working?
If you just use an Azure SQL Database, which is a Paas in Azure, itself is not located inside a VNet. You can directly add the client Public IP in the firewall of Azure SQL Server. Whereas this is not your expectation. You need to make it inside a VNet, then you can do these followings.
If you are using a SQL Managed instance which located inside a VNet, want to access the Database instance from on-premises with a private address, you need to make a VPN connection or ExpressRoute connection between the on-premise and the Managed Instance VNet.
Now, you have a P2S VPN connection, you still need to make VNet peering with Gateway Transit between the P2S VNet with SQL instance VNet. Note: To use remote gateways or allow gateway transit, the peered virtual networks must be in the same region. To do so, make the following very specific changes under the Peering settings.
In the VNet that hosts the VPN gateway, go to Peerings, then to the
Managed Instance peered VNet connection, and then click Allow
Gateway Transit.
In the VNet that hosts the Managed Instance, go to Peerings, then to
the VPN Gateway peered VNet connection, and then click Use remote
gateways.
Once the peering complete, you can check the status on the Azure portal. You need to remove the VPN client and re-download it and re-install it on your laptop, this will make the route update on your client side.
If you've established on-premises to Azure connection successfully and you can't establish a connection to Managed Instance, check if your firewall has an open outbound connection on SQL port 1433 as well as 11000-12000 range of ports for redirection.
For more reference, you can read Connect your application to Azure SQL Database Managed Instance.

Hosting a WCF service behind a proxy, firewall

We have created a WCF using net.tcp with an anticipation that the service can work in a firewall that would accept only HTTP port. The client behind firewall can also access it.
Do we need to host the service on a static, public IP so that any client from any network can conect to it?
Ideally, we would like to host the service on a node behind a firewall (say on 192.168.0.199) so that a client on some other network could connect to it.
Please suggest.
Well, either you need to make the service publicly visible somehow - using a public IP, or by routing a publicly visible IP on your corporate firewall to your internal server. But yes - it needs to be publicly visible one way or another.
The other option would be to connect it to the Windows Azure Service Bus - in that case, you could keep it behind the firewall, and just establish a publicly visible IP "in the cloud" that will then route the traffic to your web server.
Marc
I may be off on this but WCF client should have no issues communicating with a WCF server behind a firewall. Even application - level firewalls are OK in this scenario, as long as you configure them to not inspect past layer 4. Do not authenticate or do anything with your traffic at the firewall - simply NAT it to an inside IP address and you should be ok.
Couple of notes: transport security might be a little better to this observer but both transport and message level security in WCF should work without problems through firewalls. If you need message streaming though, then you are stuck with transport level security.
If your firewall (or one of your firewalls) happens to be Microsoft ISA or TMG type device, you may find this helpful: http://www.run-corp.com/how-to-configure-wcf-application-on-microsoft-isa-tmg-firewall/.