none
Access VM on Azure through a Classic VNET S2P VPN? RRS feed

  • Question

  • Hi,

    I am trying to figure this out and have spent a fair amount of time researching. Maybe I am looking in the wrong places. I am currently evaluating Azure services and so far they have been great! But I dont have a paid subscription so I am hoping to get some answers here before I escalate.

    I have a few VM's that I created in the new Azure Portal with its own VNET (10.0.0.x). It's working great! Problem is, RDP is accessible virtually anywhere and that doesnt sit well with me. I believe I can make some rules etc, exlusions and so on. However I'd much rather utilize this VPN feature.

    So I decided to create a VPN. Many of the sources I found point me to VNET Classic. So, I did it. I can successfully establish a connection to my VNET Classic S2P. However, my VM's sit on the newer VNET and I cannot ping them for the life of me. Even though I appear to be on the same subnet.

    Is this possible? How can I add these VM's to the resource network that has the VPN tunnel in full effect? My VM's dont appear in the Classic portal... ?

    Saturday, September 10, 2016 12:02 AM

Answers

  • Hello,

    Thank you for posting on the Azure forums!

    A couple of questions before we can proceed.

    1- The VMs you created; are they Classic VMs (V1) or are they Azure Resource Manager VMs (V2) ?

    2- If they have been created in the resource manager model then the VNet under which these VMs are included is also a V2 VNet. Therefore you will have to setup a P2S VPN connection for the resource manager VNet. Classic VNet will not be of any use.

    You will have to look at configuring your VPN connection for ARM deployment and currently this can be done using only PowerShell. Refer to Configure a Point-to-Site connection to a VNet using PowerShell for instructions on how this is to be done.

    Alternatively, if your underlying concern is that RDP can be accessed from anywhere then I suggest you create an NSG rule to allow only those IP addresses of machines that need access to your VM via RDP. For the rest you can 'Deny' RDP access. Network security group (NSG) has steps to help you do this.

    Hope this helps.

    Regards,

    Loydon

    ________________________________________________________________________________________________________________
    When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer so that other customers can benefit from it.

    Sunday, September 11, 2016 12:41 PM

All replies

  • Hi,

    Thank you for posting here!

    We are checking on the query and would get back to you soon on this.

    I apologize for the inconvenience and appreciate your time and patience in this matter.

     

    Regards,

    Vikranth S.

    Saturday, September 10, 2016 7:06 PM
  • Hello,

    Thank you for posting on the Azure forums!

    A couple of questions before we can proceed.

    1- The VMs you created; are they Classic VMs (V1) or are they Azure Resource Manager VMs (V2) ?

    2- If they have been created in the resource manager model then the VNet under which these VMs are included is also a V2 VNet. Therefore you will have to setup a P2S VPN connection for the resource manager VNet. Classic VNet will not be of any use.

    You will have to look at configuring your VPN connection for ARM deployment and currently this can be done using only PowerShell. Refer to Configure a Point-to-Site connection to a VNet using PowerShell for instructions on how this is to be done.

    Alternatively, if your underlying concern is that RDP can be accessed from anywhere then I suggest you create an NSG rule to allow only those IP addresses of machines that need access to your VM via RDP. For the rest you can 'Deny' RDP access. Network security group (NSG) has steps to help you do this.

    Hope this helps.

    Regards,

    Loydon

    ________________________________________________________________________________________________________________
    When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer so that other customers can benefit from it.

    Sunday, September 11, 2016 12:41 PM
  • Thanks Loydon! Sorry for the delay in response. I didn't get notified of someone posting on my thread.

    I'll give this a read and see how it works! 

    Wednesday, September 14, 2016 4:51 PM
  • Loydon, this worked like a charm and I was able to create a VPN in ARM with no issues via PowerShell. Thank you for this,

    Now I am wondering, how I can move some of my existing / running VM's into this VNET with VPN enabled. Any recommendations on that? Because whenever I've tried to create a VM on the new VNET a few times and it errors out after nearly 3+ hours of processing the new VM. The error I get is as follows.


    Error Details:
    At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-debug for usage details. (Code: DeploymentFailed)

    The resource operation completed with terminal provisioning state 'Failed'. (Code: ResourceDeploymentFailure).


    Thursday, September 15, 2016 4:32 PM
  • Hello Zenki,

    You cannot add an existing VM to a VNet as it is. You will have to delete the VM, keep the attached disks and then create a new VM in the Same region as the VNet attaching these disks to it. There is no option to move a resource between VNets.

    Regards,

    Loydon

    ________________________________________________________________________________________________________________
    When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer so that other customers can benefit from it.

    Thursday, September 15, 2016 5:46 PM