Configure Point-to-Site VPN Connection to VNet2

Resolve Connectivity Issue with Client1 and VNet2

Question

You have an Azure subscription named Subscription1 that contains two Azure networks named VNet1 and VNet2. VNet1 contains a VPN gateway named

VPNGW1 that uses static routing. There is a site-to-site VPN connection between your on-premises network and VNet1.

On a computer named Client1 that runs Windows 10, you configure a point-to-site VPN connection to VNet1.

You configure virtual network peering between VNet1 and VNet2. You verify that you can connect to VNet2 from the on-premises network. Client1 is unable to connect to VNet2.

You need to ensure that you can connect Client1 to VNet2.

What should you do?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

B

Point-to-Site certificate authentication connections require the following prerequisites:

-> A Dynamic VPN gateway.

-> The public key (.cer file) for a root certificate, which is uploaded to Azure. This key is considered a trusted certificate and is used for authentication.

-> A client certificate generated from the root certificate, and installed on each client computer that will connect. This certificate is used for client authentication.

-> A VPN client configuration package must be generated and installed on every client computer that connects. The client configuration package configures the native VPN client that's already on the operating system with the necessary information to connect to the VNet.

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing

To enable Client1 to connect to VNet2, you need to allow traffic from VNet1 to VNet2. This can be achieved by enabling virtual network peering between VNet1 and VNet2 and enabling the Allow forwarded traffic option on the peering configuration of VNet1.

Since you have already verified that you can connect to VNet2 from the on-premises network, it means that the virtual network peering between VNet1 and VNet2 is properly configured. Hence, option D (Select Allow gateway transit on VNet2) is not the correct answer.

Option B (Download and re-install the VPN client configuration package on Client1) is also not the correct answer because the point-to-site VPN connection from Client1 to VNet1 is already established.

Enabling BGP on VPNGW1 (option C) is not necessary in this scenario because BGP is used for dynamic routing, and the question states that VPNGW1 uses static routing.

Therefore, the correct answer is A (Select Allow gateway transit on VNet1). This will enable traffic from VNet1 to VNet2 and allow Client1 to connect to VNet2 through the VPN connection to VNet1.

Note: Enabling gateway transit on a virtual network allows traffic from other virtual networks to pass through that virtual network's gateway. In this case, enabling gateway transit on VNet1 will allow traffic to pass through VPNGW1 to VNet2.