I'm facing a weird issue with my hub/spoke setup in Azure, where I have a VPN gateway in the hub that allows site-to-site connectivity. My resources in the spoke, including storage, SQL, and app services, are connected through private links, so they're not publicly accessible. I can access VMs directly from on-premises with no problems. However, I can't connect to any of the private link endpoints from on-prem, even though I can access the private links from the Azure VMs. I moved a VM to the same VNET and subnet as my SQL DB for testing, and I could RDP into it and connect to the SQL Server, but still no luck accessing it from on-prem. I've checked my NSG rules and everything looks good. The flow logs show traffic to my VM, but there's no log for the traffic from on-prem to SQL. I tried using a TAP, but that's not supported with private link addresses. What can I do to troubleshoot this connectivity issue?
3 Answers
Have you tried using Azure's private DNS? It can make things easier. If you're having issues with DNS resolution, it might be affecting your access, especially when bypassing it entirely by using the IP.
Make sure you've enabled the "Enforce UDR" option on your subnet as well. If this isn’t set, routes back to on-prem won’t be propagated, which could mean your return traffic is getting lost somewhere. This is a common pitfall.
It sounds like you might have a routing issue going on. NSG Flow Logs don’t work with Private Endpoint NICs, so you can’t rely on that for troubleshooting. Check your network policies for the Private Endpoints on your subnet and ensure the route table configuration is correct. There could be a hidden route in your VPN subnet that’s directing traffic incorrectly. Try disabling network policies to see if it helps; that could bypass any firewall rules you've got set up.
Related Questions
Cloudflare Origin SSL Certificate Setup Guide
How To Effectively Monetize A Site With Ads