s2s vpn connection check

Before we check the connection, we should peer the Hub and Spoke network
Please follow the steps to enable the VNet peering between the Hub and Spoke.

In hub-and-spoke network architecture, gateway transit allows spoke virtual networks to share the VPN gateway in the hub, instead of deploying VPN gateways in every spoke virtual network.

Go to the Hub VNet, select the peering option

• Peering link name: Name the link. Example: spoke-to-hub
• Virtual network deployment model: Resource Manager
• I know my resource ID: Leave blank. You only need to select this if you don't have read access to the virtual network or subscription you want to peer with.
• Subscription: Select the subscription.
• Virtual Network: select the spoke VNet from the dropdown

The peering connection should be configured as shown in the screenshot below

To check the connection between the on-prem and the hub network, we are going to deploy the Windows Jump host on the spoke VNet and deploy the Windows VM in the on-prem VNet.

Step 1:
Create a Windows Jump Host in the spoke VNet. Also, please keep in mind that, by default, Azure blocks ICMP traffic, so we need to add inbound and outbound rules to the Windows Jump Host to allow ICMP. Please refer to the NSG rule below.

One more thing: the Windows machine firewall also blocks ICMP traffic, so you need to enable the following rule in Windows Firewall: File and Printer Sharing (Echo Request - ICMPv4-In).

Also, add the remote IP address range to the scope, as shown in the screenshot below. I spent 3 days finding these settings. 🙂

Open Windows PowerShell on the Jump Host and try the tnc command to check the RDP connection to the remote network as shown in the screenshot below.

Step 2:
Create a Windows machine in the spoke VNet. As you may already know, by default, Azure blocks ICMP traffic, so we need to add inbound and outbound rules to the Windows VM to allow ICMP. Please refer to the NSG rule below.

Here, we also need to modify Windows firewall settings as we did before enabling the File and Printer Sharing (Echo Request - ICMPv4-In) rule.

Open Windows PowerShell on the Windows VM and try the tnc command to check the RDP connection to the remote network, as shown in the screenshot below.

I referred to the following Microsoft document to complete this setup. It took me a long time to figure things out—even though I had Microsoft documentation for reference, I was scratching my head trying to figure out the NSG rule and Windows Firewall. Eventually, I managed to resolve it.

https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal

https://learn.microsoft.com/en-us/azure/virtual-network-manager/tutorial-create-secured-hub-and-spoke

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit

If I’ve made any mistakes or incorrectly mentioned any steps, please feel free to let me know in the comments section. Happy learning! I’ll try to post another interesting project soon. See you all :)