Hello All, In this scenario shown below, Bastion instance is deployed in VNET-1. VNET-1 and VNET-2 have their own respective Site-to-Site (S2S) VPN connections to their on-premises environments. The objective is to use the Bastion instance in VNET-1 to RDP into VM-2 and VM-3, which reside in separate VNETs (VNET-2 and VNET-3). Establishing VNET peering between VNET-1 and VNET-2/VNET-3 is not an option because VNET-2 and VNET-3 already have VNET Gateways in use for their respective S2S VPN connections. One possible solution is to set up S2S VPN connections between VNET-1 and both VNET-2 and VNET-3. Is there any other approach to achieve this objective?

Hi @ Prashanta Shrestha , in your scenario additional S2S VON connections between VNET1/VNET2 and VNET1/VNET3 looks like the best/easiest solution. (If the reply was helpful please don't forget to upvote and/or accept as answer , thank you) Regards Andreas Baumgarten

How to set up Bastion to access VMs on different VNets?

Prashanta Shrestha 51

Hello All,

In this scenario shown below,

User's image

Bastion instance is deployed in VNET-1.
VNET-1 and VNET-2 have their own respective Site-to-Site (S2S) VPN connections to their on-premises environments.
The objective is to use the Bastion instance in VNET-1 to RDP into VM-2 and VM-3, which reside in separate VNETs (VNET-2 and VNET-3).

Establishing VNET peering between VNET-1 and VNET-2/VNET-3 is not an option because VNET-2 and VNET-3 already have VNET Gateways in use for their respective S2S VPN connections.

One possible solution is to set up S2S VPN connections between VNET-1 and both VNET-2 and VNET-3.

Is there any other approach to achieve this objective?

KapilAnanth-MSFT 46,096 Reputation points Microsoft Employee

2024-10-03T07:02:53.4066667+00:00
@Prashanta Shrestha ,

I see Andreas Baumgarten has addressed your query.

The only way Bastion can provide connectivity to a server is when the networks are connected together either via S2S/ExpressRoute or Peering with IP based connection feature enabled

Limitations :

IP-based connection won’t work with force tunneling over VPN, or when a default route is advertised over an ExpressRoute circuit. Azure Bastion requires access to the Internet and force tunneling, or the default route advertisement will result in traffic blackholing.

Refer :

https://azure.microsoft.com/en-us/updates/general-availability-azure-bastion-ip-based-connection-connect-onpremises-resources-via-specified-ip-address/

https://zcusa.951200.xyz/en-us/azure/bastion/connect-ip-address

Also,

May I ask why you cannot peer VNET1 with VNET2/VNET3

You should be able to peer these VNETs - you will simply not be able to enable VPN gateway transit

However, Bastion access and connectivity across VMs in these VNETs should still work with the Peering.

If there are other restrictions preventing you from using VNET Peering, then you can go for the answer recommended by Andreas Baumgarten

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

1 answer

Andreas Baumgarten 110.4K Reputation points MVP

2024-10-02T19:00:01.4933333+00:00

Hi @Prashanta Shrestha ,

in your scenario additional S2S VON connections between VNET1/VNET2 and VNET1/VNET3 looks like the best/easiest solution.

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards

Andreas Baumgarten
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

How to set up Bastion to access VMs on different VNets?

1 answer

Your answer