![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 43%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJP%3C/text%3E%3C/svg%3E)
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,725 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 45%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESA%3C/text%3E%3C/svg%3E)
Hello @Jakub Pustelnik
I understand that you're trying to route traffic from a VPN client through a series of components (VPN client -> Spoke VPN Gateway -> Hub VNet Firewall -> Hub App Gateway -> Spoke VNet -> VPN client) but you are experiencing connection timeouts, which suggests that routing might not be configured properly.
However, I was able to replicate the scenario and successfully connect to the App GW on port 80 from Azure VPN client.
Deployed Hub VNet resources such as App Gateway, installed IIS on an Azure VM, and configured it as a backend pool for App GW with Azure Firewall to inspect the traffic as shown below.
Deployed a Spoke VNET named (MyVMLab-vnet) which includes a VPN gateway and a test VM.
Configured P2S VPN on the Spoke VPN Gateway.
Routes on the Spoke VPN gateway subnet are configured to use the Azure Firewall private IP as the next hop.
Connectivity flow shows traffic is passing through azure firewall and connects to App Gateway.
From VPN P2S client, I was able to connect the App Gateway private Ip on port 80
Here are a few things to check from your end.
Ensure that the UDRs are correctly set up in your spoke VNet. The routes should point to the appropriate next hops, particularly the Azure Firewall for traffic going from Spoke to Hub.
Verify that there are no Network Security Group (NSGs) restrictions that could be blocking traffic at App Gateway.
Make sure that your P2S VPN configuration permits routing to both the Hub and Spoke VNets. Check if your P2S clients have the routes of HUB VNet. Use c:/>Route Print command on the VPN client machine.
Please verify the VNet peering settings between Spoke and Hub VNet, ensuring that "Allow forwarded traffic" and "Use Remote Gateway" options are enabled on the Hub VNet.
If you already have the VPN gateway on the Hub VNet, you cannot use the remote gateway option. Instead, you need to directly configure the P2S on the Hub VPN Gateway and route the traffic accordingly.
Confirm that your Firewall is configured to allow traffic between the specified VNets and that it has the right rules set up to allow this traffic flow.
If you’ve already covered all these checks and still you are experiencing issues, please share the below details to assist you further.
- What specific UDR configurations are currently applied in both the Hub and Spoke VNets?
- How are you accessing the application gateway either on private Ip or public ip ?
- Are there any NSGs applied to your subnets, and if so, what rules do they contain?
- Are you using Azure Firewall or any NVA firewall? do you see any traffic on the firewall logs from VPN client to App Gateway Ip?
If the above information was helpful. Please click "Accept" the answer as original posters help the community find answers faster by identifying the correct answer.