VNET Gateway VPN Client should have easy way to refresh routes
I noticed that you need to download the VPN client again if the peering changes on the VNETs associated with the gateway. Once the client has the routes you can tear down and recreate VNET peerings as often as you like. It would be nice to have an easy way to refresh the routes for your installed VPN client because I see customers wasting a lot of time trying to figure out why they can’t connect to vms. At least to have some warning to customers would be good when they configure vnet peering that they might have to reinstall their VPN clients.
Thanks for the feedback. The status of this ask is a bit complicated – it’s partially working, but partially in progress:
1. For existing SSTP P2S VPN, there is no solution but to download the VPN client package again.
2. For IKEv2 P2S VPN, it works by P2S client reconnecting to the Azure VPN gateway. Once they connect again, they will get the new routes. This will apply to changes in VNet address spaces (including VNet peering), newly added S2S/VNet-to-VNet connections, or new routes learned via BGP.
3. The caveat for (2) is that it currently works on Mac and Linux, but Windows require a KB/Update that will be released shortly.
We will provide an update to this item once the Windows update is available.
Which Windows KB/Update resolved this issue?
Thanks for the feedback - there are two aspects to this ask:
1. Azure P2S route refresh on the client side
2. App Service to leverage the route refresh capability
The work is in progress for (1), but it will not be in band due to protocol limit. For IKEv2 P2S VPN, simply reconnecting P2S clients will enable the client side to learn the new routes. I explained a bit more in another similar ask and will merge this ask to that main item.
Once that's available, will see how App Service can leverage this.
moved to the networking forum to solve routing between gateway types.
At the moment the VPN client config does not seem to pick up the advertised routes from the onprem side of the BGP VPN. These routes are dynamically advertised.
The workaround by adding routes manually through the App Service Plan network configuration does not seem to be stable. It works for some time, then seems to be disregarded until one does a sync network action.
This means that active-passive or active-active VPN GW with BGP can not be used in conjunction with the App Service VPN (P2S) connection scheme.
Any serious Azure design needs a robust VPN gateway, so it is disappointing that App Service VPN does not support this configuration type.