Posted inNetworking

vpn – Why is NAT rule interfering with private IP RDP connectivity in my Azure network?


Firstly I’m not an Azure networking expert…

I am attempting to configure an Azure Virtual Machine within a Azure Virtual Network which has NAT rules applied to outgoing traffic over a s2s-vpn connection, but can still be RDP enabled for the private IP.

The s2s-vpn connection works, and it relies on NAT rules so traffic comes from the expected IP address. RDP into the public IP also works. But RDP into the private IP (when on the VPN) fails, and it appears to be incompatible with the NAT rule.

The configuration (public masked) is:

Virtual network:

- 10.0.0.0/16
- MyVMSubnet - 10.0.6.0/24
- Network Security Groups - none

Azure Virtual Machine:

- Windows Server 2022 Datacenter Azure Edition
- Private IP: 10.0.6.5 on MyVMSubnet subnet
- Public IP: 3.4.5.6 (example)
- Rules:
     Inbound: AllowCidrBlockRDPInbound 3389/TCP/Any/Any Allow
     Outbound: AllowVnetoutBound Any/Any/VirtualNetwork/VirtualNetwork Allow
- Application Security Groups - none
- Azure Virtual Network Manager - none

Virtual Network Gateway NAT rule

- Type: Static
- Mode: EgressSnat,
- Internal Mappings: 10.0.6.5/32
- External Mappings: 10.22.33.44/32   (this mapping is required for the s2s-vpn to work)
- Internal Port Mapping: 12345
- External Port Mapping: 2345
- Linked connection - the s2s-vpn connection

When NAT rule is not enabled, I can RDP in via the public IP, or the private IP (via Azure VPN).

When NAT rule is enabled – I can’t RDP in via the public IP, but NOT the private IP.

How can I configure the network and NAT rules such that I can still RDP in via the private IP?

Attempted solutions:

  • Add 10.0.6.0/24 to the VPN advertised route – no difference
  • VPN to externally mapped IP 10.22.33.44 – doesn’t work
  • Added Route Table with 10.0.6.5/32 mapped to VNetLocal (associated to the subnet of the VM)



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *