App service not working with on-premises VPN

0
votes

I've been trying to set up an App Service which communicates with a server in our on-premises environment. I've set up everything regarding VNET, Local network gateway, Virtual network gateway, Point-to-Site and so on. I've also set up a Linux VM to enable testing, the VM can communicate with on-prem and on-prem reaches our VM.

I also connected the app service to the VNET and it is able to tcpping the VM. But I can't get the app service to communicate with the on-prem service.

In the App Service Plan everything looks normal, I can see all the subnets, site-to-site, point-to-site and that the certificates are in sync.

But when I look at the Networking for the App Service it does not show as connected and Azure says that the certificates are not in sync. Could this be one of the reasons why the App Service and the on-prem can't communicate? Do I have to add routes for the Point-to-Site to the on-prem network?

Image - Networking - App Service Plan

Image - Networking - App Service

Image - Networking - Vnet Integration

1
azureazure-web-app-serviceazure-virtual-networkvnet
May I know if there is an update on your side? - Nancy Xiong
@NancyXiong-MSFT Everything is working now, I spoke with IT and they had apparently missed some settings in their FW which blocked all request from the App but only some from the VM in the VNET. - Crib

1 Answers

0
votes

If the Networking for the App Service is working well it should show as connected and the certificates are in sync. One or more of the possible actions you could try:

  • Avoid picking IP address space that overlaps with other networks.

  • When the Site to Site VPN is first set up then the scripts used to configure it should set up routes including your Point-to-Site VPN. If you add the Point-to-Site VPN after you create your Site to Site VPN, then you need to update the routes manually.

  • If those certificates or network information is changed, then you need to click Sync Network to forcibly sync the certificate to ensure the security of the connection. NOTE: When you click Sync Network then you cause a brief outage in connectivity between your app and your VNet. While your app is not restarted, the loss of connectivity could cause your site to not function properly.

You can get more details from the VNet Integrations.

Update

If your VNet hosted VM can reach your on-premises system but your app can't then the reason is likely one of the following:

  • your routes are not configured with your point to site IP ranges in your on-premises gateway
  • your network security groups are blocking access for your Point-to-Site IP range
  • your on-premises firewalls are blocking traffic from your Point-to-Site IP range
  • you have a User Defined Route(UDR) in your VNet that prevents your Point-to-Site based traffic from reaching your on-premises network