You have a Site-to-Site VPN between an on-premises network and an Azure VPN gateway. BGP is disabled for the Site-to-Site VPN.
You have an Azure virtual network named Vnet1 that contains a subnet named Subnet1. Subnet1 contains a virtual machine named Server1.
You can connect to Server1 from the on-premises network.
You extend the address space of Vnet1. You add a subnet named Subnet2 to Vnet1. Subnet2 uses the extended address space. You deploy an Azure virtual machine named Server2 to Subnet2.
You cannot connect to Server2 from the on-premises network. Server1 can connect to Server2.
You need to ensure that you can connect to Subnet2 from the on-premises network.
What should you do?
Click on the arrows to vote for the correct answer
A. B. C. D.D
The problem described in this question is that after extending the address space of an Azure virtual network and adding a new subnet to it, a virtual machine deployed to the new subnet cannot be reached from an on-premises network that has a Site-to-Site VPN connection to the virtual network. To enable access to the new subnet from the on-premises network, one of the following solutions needs to be implemented:
Option A: Add an additional Site-to-Site VPN between the on-premises network and Vnet1. This option involves creating a second Site-to-Site VPN connection between the on-premises network and the virtual network. This option would work if there are routing issues with the existing VPN connection that prevents traffic from reaching the new subnet. However, it would add complexity to the network configuration, as well as additional cost for the VPN connection.
Option B: Add a private endpoint to Subnet2. A private endpoint is a network interface that connects an Azure virtual network to a service endpoint. In this case, the private endpoint would allow the on-premises network to connect directly to Server2 through Subnet2, without the need for a VPN connection. This option would require creating a private endpoint for Server2 and configuring the appropriate routing on the on-premises network to connect to the private endpoint.
Option C: To Subnet2, add a route table that contains a user-defined route. This option involves adding a user-defined route to the route table for Subnet2 that directs traffic destined for the on-premises network to the Azure VPN gateway. This option would work if the new subnet is not properly routing traffic back to the on-premises network through the VPN connection. By adding a user-defined route, the subnet would know how to route traffic back to the on-premises network through the VPN gateway.
Option D: Update the routing information on the on-premises routers. This option involves updating the routing information on the on-premises routers to include the new subnet and associated routes. This option would work if the on-premises network is not properly routing traffic to the new subnet through the VPN connection. By updating the routing information, the on-premises network would know how to route traffic to the new subnet through the VPN connection.
Of the four options presented, Option C, "To Subnet2, add a route table that contains a user-defined route," would be the most appropriate solution. This option is the simplest and least costly, and it addresses the most likely issue causing the problem. By adding a user-defined route to the route table for Subnet2, the subnet will know how to route traffic back to the on-premises network through the VPN gateway, which should allow access to Server2 from the on-premises network.