Recently one of my customers experienced an issue where we wanted to achieve the below. The reason was we wanted machines out on the internet to communicate with Active Directory Servers by using the Azure VPN Client.
So there are two ways to achieve a “Connection” between Virtual Networks. You can use VNET Peering or you can use VPN Gateways (VNET-to-VNET or Gateway-to-gateway) Connection.
Both of these scenarios will allow your machines in either VNET to communicate with machines in the other VNET. But currently is Unsupported for trying to achieve transit from a branch (ExpressRoute, Site-to-Site VPN, Point-to-Site VPN) over VNET peering if the peered VNET also has a Gateway in it.
As mentioned when both VNETS have a gateway, the transit to the VPN Client (Point to Site) is not supported.
So without redeploying the ExpressRoute to be in coexisting connection (https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager) how do we get these Internet Based devices to communicate with a Server?
Machines in the VPNVNET can communicate with machines in the MGVNET using either VNET peering (1) OR VPN Gateways (2). So if it is a Domain Controller you want, its easy enough to spin up a cheap A2v2 Server in VPNVNET and promote it as a DC. This will give your internet machine access to the DC and the traffic can flow as designed to other VNETs.
As always I hope this information was helpful and please feel free to correct me in any of the steps.
Thanks Jorge Cortes Cano for leading me in the right direction with supportability.