Azure: VM in another spoke virtual network cannot be accessed via RDP

Question

. 。 Answers to this question are eligible for a +50 reputation bounty. Mugil Karthikeyan wants to to this question: ：

Azure: Although HUB-SPOKE configuration with routing table is implemented, I am unable to RDP into a VM in another spoke network.

I have the following Vnets

vnet-hub-poc-hubspoke is the Hub Vnet

it has the following subnets

with a firewall

and peered with Prod & Dev Vnets

Prod Vnet is configured as shown below

Dev Vnet is configured as shown below

I have following VMs created - one in each Vnet

with the below rules

I have the following Route tables

with the below configuration

I am able ping to the Firewall from both the VMs, however I am not able to RDP

What am I missing?

Update: : I guess the request is to going Firewall (10.11.253.4) but getting timed out.

C:\Users\kavija>tracert 10.13.2.4

Tracing route to 10.13.2.4 over a maximum of 30 hops

Update#2: I have used the below script

# Define Variable
rgName=SpokeToSpoke
location=eastus
hubVNetName=vnet-hub
prodVnetName=vnet-prod
devVnetName=vnet-dev
myFirewallPublicIPName="firewallPublicIP"
azFirewallName="azFirewallName"
azureworkloadRG="AzureProdWorkLoad"
azureDevWorkloadRG="AzureDevWorkLoad"
VmUser="demouserXXX"
VmName1="ProdSever"
VmName2="DevSever"
fwRouteTableProdName=prod-route-table
fwRouteTableDevName=dev-route-table
bastionName="MyBastion"
bastionPIPName="bastionpip"
rdpRuleName=AllowRDP
priority=200
rgroup=prod-ukw-core-rg
access=Allow
description="Allow RDP from office IP address"
destPort=3389
direction=Inbound
protocol=TCP

# Create Resource Group
az group create --name $rgName --location $location

# Create Azure Hub VNET
az network vnet create -g $rgName --name $hubVNetName --address-prefixes 10.11.0.0/16 --location $location
az network vnet subnet create -g $rgName --vnet-name $hubVNetName --name Management --address-prefix 10.11.1.0/24
az network vnet subnet create -g $rgName --vnet-name $hubVNetName --name AppGatewaySubnet --address-prefix 10.11.252.0/26
az network vnet subnet create -g $rgName --vnet-name $hubVNetName --name AzureBastionSubnet --address-prefix 10.11.252.64/27
az network vnet subnet create -g $rgName --vnet-name $hubVNetName --name AzureFirewallSubnet --address-prefix 10.11.253.0/26
az network vnet subnet create -g $rgName --vnet-name $hubVNetName --name GatewaySubnet --address-prefix 10.11.254.0/27

# Create Azure Dev VNET
az network vnet create -g $rgName --name $devVnetName --address-prefixes 10.12.0.0/16  --location $location
az network vnet subnet create -g $rgName --vnet-name $devVnetName --name Management --address-prefix 10.12.1.0/24
az network vnet subnet create -g $rgName --vnet-name $devVnetName --name Workload1 --address-prefix 10.12.2.0/24

# Create Azure Prod VNET
az network vnet create -g $rgName --name $prodVnetName --address-prefixes 10.13.0.0/16  --location $location
az network vnet subnet create -g $rgName --vnet-name $prodVnetName --name Management --address-prefix 10.13.1.0/24
az network vnet subnet create -g $rgName --vnet-name $prodVnetName --name Workload1 --address-prefix 10.13.2.0/24

# Dev Subnet NSG 
az network nsg create -g $rgName -n Dev-Management-subnet -l $location -o table
az network nsg create -g $rgName -n Dev-Workload1-subnet -l $location -o table
az network vnet subnet update -g $rgName --vnet-name $devVnetName --name Management --network-security-group Dev-Management-subnet
az network vnet subnet update -g $rgName --vnet-name $devVnetName --name Workload1 --network-security-group Dev-Workload1-subnet

# Prod Subnet NSG 
az network nsg create -g $rgName -n Prod-Management-subnet -l $location -o table
az network nsg create -g $rgName -n Prod-Workload1-subnet -l $location -o table
az network vnet subnet update -g $rgName --vnet-name $prodVnetName --name Management --network-security-group Prod-Management-subnet
az network vnet subnet update -g $rgName --vnet-name $prodVnetName --name Workload1 --network-security-group Prod-Workload1-subnet

# Enable RDP at NSG Level for Dev Workload
az network nsg rule create --name $rdpRuleName --nsg-name Dev-Workload1-subnet --priority $priority --resource-group $rgName --access $access --description "$description" --destination-port-ranges $destPort --direction $direction --protocol $protocol --source-address-prefixes "*"

# Enable RDP at NSG Level for Prod Workload
az network nsg rule create --name $rdpRuleName --nsg-name Prod-Workload1-subnet --priority $priority --resource-group $rgName --access $access --description "$description" --destination-port-ranges $destPort --direction $direction --protocol $protocol --source-address-prefixes "*"

# Create Firewall
az network public-ip create --name $myFirewallPublicIPName --resource-group $rgName --sku Standard --allocation-method Static
az network firewall create -g $rgName -n $azFirewallName --vnet-name $hubVNetName --sku AZFW_VNet --tier Standard
az network firewall ip-config create   --firewall-name $azFirewallName   --name FW-config1 --public-ip-address $myFirewallPublicIPName  --resource-group $rgName   --vnet-name $hubVNetName
az network firewall update --name $azFirewallName --resource-group $rgName
fwprivaddr="$(az network firewall ip-config list -g $rgName -f $azFirewallName --query "[?name=='FW-config1'].privateIpAddress" --output tsv)"

# Hub-Spoke-Hub Peering
az network vnet peering create -g $rgName --name HUBtoProd --vnet-name $hubVNetName --remote-vnet $prodVnetName --allow-vnet-access --allow-forwarded-traffic --allow-gateway-transit

az network vnet peering create -g $rgName --name HUBtoDEV --vnet-name $hubVNetName --remote-vnet $devVnetName --allow-vnet-access --allow-forwarded-traffic  --allow-gateway-transit

az network vnet peering create -g $rgName --name ProdtoHUB --vnet-name $prodVnetName --remote-vnet $hubVNetName --allow-vnet-access --allow-forwarded-traffic --allow-gateway-transit 

az network vnet peering create -g $rgName --name DEVtoHUB --vnet-name $devVnetName --remote-vnet $hubVNetName --allow-vnet-access --allow-forwarded-traffic --allow-gateway-transit 

# Create Route table from Dev to Hub
az network route-table create --name $fwRouteTableDevName -g $rgName -l $location --disable-bgp-route-propagation true
az network route-table route create -g $rgName --name DevToProdSubnet-Route --route-table-name $fwRouteTableDevName --address-prefix 10.13.0.0/16  --next-hop-type VirtualAppliance --next-hop-ip-address $fwprivaddr
az network vnet subnet update -g $rgName --vnet-name $devVnetName -n Workload1 --address-prefixes 10.12.2.0/24 --route-table $fwRouteTableDevName

# Create Route table from Prod to Hub
az network route-table create --name $fwRouteTableProdName -g $rgName -l $location --disable-bgp-route-propagation true
az network route-table route create -g $rgName --name ProdToHubSubnet-Route --route-table-name $fwRouteTableProdName --address-prefix 10.12.0.0/16  --next-hop-type VirtualAppliance --next-hop-ip-address $fwprivaddr
az network vnet subnet update -g $rgName --vnet-name $prodVnetName -n Workload1 --address-prefixes 10.13.2.0/24 --route-table $fwRouteTableProdName

# Create Azure Bastion for Azure
az network public-ip create --resource-group $rgName --name $bastionPIPName --sku Standard --location $location
az network bastion create --name $bastionName --public-ip-address $bastionPIPName --resource-group $rgName --vnet-name $hubVNetName --location $location

# Create VM in Dev Vnet - Workload1 Subnet to test Spoke-to-Spoke communication
az group create --name $azureDevWorkloadRG --location $location
devWorkLoadSubNetID=$(az network vnet subnet show --resource-group $rgName --name "Workload1" --vnet-name $devVnetName --query id -o tsv)
az vm create --resource-group $azureDevWorkloadRG --name $VmName --image win2016datacenter --admin-username $VmUser --admin-password $AdminPassword --size Standard_B1s --use-unmanaged-disk --storage-sku Standard_LRS --subnet $devWorkLoadSubNetID --nsg "" --public-ip-address ""

# Create VM in Prod VNet - Workload1 Subnet
az group create --name $azureworkloadRG --location $location
prodWorkLoadSubNetID=$(az network vnet subnet show --resource-group $rgName --name "Workload1" --vnet-name $prodVnetName --query id -o tsv)
az vm create --resource-group $azureworkloadRG --name $VmName1 --image win2016datacenter --admin-username $VmUser --admin-password $AdminPassword --size Standard_B1s --use-unmanaged-disk --storage-sku Standard_LRS --subnet $prodWorkLoadSubNetID --nsg "" --public-ip-address ""

Update#3: I tried creating the Gateway as well

# Azure VNET Gateway
az network public-ip create -g $rgName --name pip-hub-gateway --allocation-method dynamic --dns-name $hubVNetName 
az network vnet-gateway create -g $rgName --name vgw --vnet $hubVNetName --public-ip-address pip-hub-gateway --gateway-type vpn --client-protocol SSTP --sku Basic

az network vnet peering create -g $rgName --name ProdtoHUB --vnet-name $prodVnetName --remote-vnet $hubVNetName --allow-vnet-access --allow-forwarded-traffic --allow-gateway-transit  --use-remote-gateways

az network vnet peering create -g $rgName --name DEVtoHUB --vnet-name $devVnetName --remote-vnet $hubVNetName --allow-vnet-access --allow-forwarded-traffic --allow-gateway-transit  --use-remote-gateways

az network route-table route create -g $rgName --name DevToProdSubnet-Route --route-table-name $fwRouteTableDevName --address-prefix 10.13.0.0/16   --next-hop-type VirtualNetworkGateway

az network route-table route create -g $rgName --name ProdToHubSubnet-Route --route-table-name $fwRouteTableProdName --address-prefix 10.12.0.0/16   --next-hop-type VirtualNetworkGateway

Answer 1

Remote Desktop can't connect to the remote computer for one of these reasons:

1. Remote access to the service is not enabled
2. The remote computer is turned off Verified through the Azure Portal it is turned on because Start is faded, while Restart and Stop are not
3. The remote computer is not available on the network.

To resolve this issue please check your vm resource health are available in healthy state this may impact connectivity to the Vm in azure platform. if it's not in healthy you can diagnose and solve problem.

2. Try to Rest password configuration only this will help to prevent the RDP configuration when Remote Connections is deactivated, or RDP is being blocked by Windows Firewall rules. And try to access the RDP

3. Make sure you have configured Boot diagnostics try to enable diagnostics, you can see the screenshot of the boot diagnostics and download the screenshot of serial log and investigate the issue of console log and verify the console log of additional information to determine why RDP is not functioning in your situation.

4. Try to reset your user credentials and provide username and password and update. it reset a local administrator password and try to access the RDP

5. Orelse, in virtual machine -> networking under setting -> click on your network interface as (web server) -> in network intterface -> ip configuration click on private ip address

Try to change Assignment as static and provide different static ip address and save and try to access VM through RDP once RDP is connected changed to Dynamic

Suppose you are not able to access RDP try to Redeploy as below. it will redeploy the virtual machine in another host within the azure if any underlying issue or networking issue by redeploying we can resolve this issue and ephemeral disk data will lost and dynamic IP addresses that are associated with the VM are updated.

Answer 2

What kind of firewall rules do you have?

I have three more suggestion:

1) check if you have NSG attached to VM NICs

• Using both subnet-attached and NIC-attached NSG rules is not recommended. Not sure from the screenshot if subnet-attached NSG is the only NSG
• Default rule 65000 should allow access from peered VNet anyway
• Unless you have a specific reason to, we recommend that you associate a network security group to a subnet, or a network interface, but not both. Since rules in a network security group associated to a subnet can conflict with rules in a network security group associated to a network interface, you can have unexpected communication problems that require troubleshooting. ref: https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works

2) Check RDP setting

• I personally had to run reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v MaxOutstandingConnectionsx /t REG_DWORD /d 10000 on serial console for few installations to get RDP working

3) Capture network traffic

• Capture network traffic on destination subnet to see
  • if traffic goes through firewall
  • and to see if destination VM sends back ACK packets for initial SYN segments
• Then compare captured traffic with firewall rules, statistics and log to find out if firewall is blocking access.

Answer 3

Using the script below, I was able to establish communication between the spoke networks

Reference: https://github.com/jillesca/azure/tree/main/hub%20%26%20spoke

az group create --name techTalk --location eastus

az network vnet create \
  --name hub-vnet \
  --resource-group techTalk \
  --subnet-name hub-subnet \
  --address-prefixes 10.0.0.0/16 \
  --subnet-prefixes 10.0.1.0/24

az network vnet create \
  --name spoke1-vnet \
  --resource-group techTalk \
  --subnet-name spoke1-subnet \
  --address-prefixes 10.1.0.0/16 \
  --subnet-prefixes 10.1.1.0/24 

az network vnet create \
  --name spoke2-vnet \
  --resource-group techTalk \
  --subnet-name spoke2-subnet \
  --address-prefixes 10.2.0.0/16 \
  --subnet-prefixes 10.2.1.0/24 

az network vnet subnet create \
  --vnet-name hub-vnet \
  --name GatewaySubnet \
  --resource-group techTalk \
  --address-prefix 10.0.255.0/27

az network public-ip create \
  --name gateway-ip-address \
  --resource-group techTalk \
  --allocation-method Dynamic \
  --sku Basic

az network vnet-gateway create \
  --name vnet-Gateway \
  --location eastus \
  --public-ip-address gateway-ip-address \
  --resource-group techTalk \
  --vnet hub-vnet \
  --gateway-type Vpn \
  --sku Standard \
  --vpn-type RouteBased \
  --no-wait

az network route-table create \
  --resource-group techTalk \
  --name spoke1RouteTable

az network route-table route create \
 --name spoke1ToSpoke2 \
 --resource-group techTalk \
 --route-table-name spoke1RouteTable \
 --address-prefix 10.2.1.0/24  \
 --next-hop-type VirtualNetworkGateway

az network vnet subnet update \
  --vnet-name spoke1-vnet \
  --name spoke1-subnet \
  --resource-group techTalk \
  --route-table spoke1RouteTable

az network route-table create \
  --resource-group techTalk \
  --name spoke2RouteTable

az network route-table route create \
 --name spoke2ToSpoke1 \
 --resource-group techTalk \
 --route-table-name spoke2RouteTable \
 --address-prefix 10.1.1.0/24  \
 --next-hop-type VirtualNetworkGateway 

az network vnet subnet update \
  --vnet-name spoke2-vnet \
  --name spoke2-subnet \
  --resource-group techTalk \
  --route-table spoke2RouteTable

az network vnet peering create \
    --resource-group techTalk \
    --name spoke1-Peering \
    --vnet-name hub-vnet \
    --remote-vnet spoke1-vnet \
    --allow-vnet-access \
    --allow-gateway-transit \
    --allow-forwarded-traffic

az network vnet peering create \
    --resource-group techTalk \
    --name spoke1-hub-Peering \
    --vnet-name spoke1-vnet \
    --remote-vnet hub-vnet \
    --allow-vnet-access \
    --use-remote-gateways

az network vnet peering create \
    --resource-group techTalk \
    --name spoke2-Peering \
    --vnet-name hub-vnet \
    --remote-vnet spoke2-vnet \
    --allow-vnet-access \
    --allow-gateway-transit \
    --allow-forwarded-traffic

az network vnet peering create \
    --resource-group techTalk \
    --name spoke2-hub-Peering \
    --vnet-name spoke2-vnet \
    --remote-vnet hub-vnet \
    --allow-vnet-access \
    --use-remote-gateways
    
az network nsg create -g techTalk -n spoke1-subnet-ng -l eastus
az network nsg create -g techTalk -n spoke2-subnet-ng -l eastus

az network vnet subnet update \
  --vnet-name spoke1-vnet \
  --name spoke1-subnet \
  --resource-group techTalk \
  --route-table spoke1RouteTable \
  --network-security-group spoke1-subnet-ng

az network vnet subnet update \
  --vnet-name spoke2-vnet \
  --name spoke2-subnet \
  --resource-group techTalk \
  --route-table spoke2RouteTable \
  --network-security-group spoke2-subnet-ng

az network nsg rule create --name rdpRule --nsg-name spoke1-subnet-ng --priority 200 --resource-group techTalk --access Allow --description "Allow RDP" --destination-port-ranges 3389 --direction Inbound --protocol TCP --source-address-prefixes "*"

az network nsg rule create --name rdpRule --nsg-name spoke2-subnet-ng --priority 200 --resource-group techTalk --access Allow --description "Allow RDP" --destination-port-ranges 3389 --direction Inbound --protocol TCP --source-address-prefixes "*" 

az network vnet subnet create -g techTalk --vnet-name hub-vnet --name AzureBastionSubnet --address-prefix 10.0.252.64/27

az network public-ip create --resource-group techTalk  --name bastionpip  --sku Standard --location eastus
az network bastion create --name MyBastion --public-ip-address bastionpip --resource-group techTalk  --vnet-name hub-vnet --location eastus --no-wait

# Create VM in Dev Vnet - Workload1 Subnet to test Spoke-to-Spoke communication
devWorkLoadSubNetID=$(az network vnet subnet show --resource-group techTalk  --name spoke1-subnet  --vnet-name spoke1-vnet  --query id -o tsv)
az vm create --resource-group techTalk  --name VM1 --image win2016datacenter --admin-username $VmUser --admin-password $AdminPassword --size Standard_B1s --use-unmanaged-disk --storage-sku Standard_LRS --subnet $devWorkLoadSubNetID --nsg "" --public-ip-address ""   --no-wait

# Create VM in Prod VNet - Workload1 Subnet
prodWorkLoadSubNetID=$(az network vnet subnet show --resource-group techTalk  --name spoke2-subnet  --vnet-name spoke2-vnet  --query id -o tsv)
az vm create --resource-group techTalk  --name VM2 --image win2016datacenter --admin-username $VmUser --admin-password $AdminPassword --size Standard_B1s --use-unmanaged-disk --storage-sku Standard_LRS --subnet $prodWorkLoadSubNetID --nsg "" --public-ip-address ""   --no-wait