The Issue
Recently one of my customers experienced an issue where we wanted to achieve the below. The reason was we wanted machines out on the internet to communicate with Active Directory Servers by using the Azure VPN Client.
The Investigation
So there are two ways to achieve a “Connection” between Virtual Networks. You can use VNET Peering or you can use VPN Gateways (VNET-to-VNET or Gateway-to-gateway) Connection.
Both of these scenarios will allow your machines in either VNET to communicate with machines in the other VNET. But currently is Unsupported for trying to achieve transit from a branch (ExpressRoute, Site-to-Site VPN, Point-to-Site VPN) over VNET peering if the peered VNET also has a Gateway in it.
VNET Peering
VPN Gateway
Not Supported
As mentioned when both VNETS have a gateway, the transit to the VPN Client (Point to Site) is not supported.
So without redeploying the ExpressRoute to be in coexisting connection (https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager) how do we get these Internet Based devices to communicate with a Server?
The Solution
Machines in the VPNVNET can communicate with machines in the MGVNET using either VNET peering (1) OR VPN Gateways (2). So if it is a Domain Controller you want, its easy enough to spin up a cheap A2v2 Server in VPNVNET and promote it as a DC. This will give your internet machine access to the DC and the traffic can flow as designed to other VNETs.
As always I hope this information was helpful and please feel free to correct me in any of the steps.
Additional Resources
https://azure.microsoft.com/en-us/blog/create-a-transit-vnet-using-vnet-peering/
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager
Credit
Thanks Jorge Cortes Cano for leading me in the right direction with supportability.
You must log in to post a comment.