Diagnose and resolve virtual network gateway connectivity issues

2.1 Site-to-Site (S2S) VPN Connectivity

📘Microsoft Azure Networking Solutions (AZ-700)

1. What This Topic Is About (Exam Perspective)

In the AZ-700 exam, Microsoft expects you to:

Identify why a Site-to-Site VPN connection is not working
Know which Azure components to check
Understand common misconfigurations
Use Azure diagnostic tools to find and fix problems

This topic focuses on troubleshooting, not on creating the VPN from scratch.

2. Key Components Involved in S2S VPN Connectivity

Before diagnosing issues, you must understand the main components involved:

Azure-side components

Virtual Network (VNet)
Gateway subnet
Virtual Network Gateway
Local Network Gateway
VPN connection

On-premises side components (logical view)

VPN device (firewall or VPN appliance)
Public IP address
Internal address spaces

Connectivity problems usually happen because one or more of these components is misconfigured or unhealthy.

3. Common Categories of Connectivity Issues (Exam-Important)

Most S2S VPN issues fall into one of these categories:

Connection status issues
IP addressing issues
Shared key (PSK) issues
Routing issues
Gateway or subnet issues
VPN device configuration issues
Azure platform or resource health issues

The exam often gives a symptom and asks you to identify the cause or fix.

4. Checking VPN Connection Status in Azure

Where to check

Azure Portal
Virtual Network Gateway
Connections blade

Common connection states

Connected → Tunnel is established
Not Connected → Tunnel failed
Connecting → Negotiation in progress
Unknown → Diagnostic needed

Exam note

If the connection is Not Connected, Azure will not pass traffic between networks.

5. Diagnosing Shared Key (Pre-Shared Key) Issues

What is a shared key

A secret string used by both sides to authenticate the VPN tunnel

Common problems

Shared key mismatch between Azure and on-premises VPN device
Key changed on one side but not the other

Result of shared key issues

VPN tunnel fails to establish
Connection status shows Not Connected

Exam tip

If the tunnel does not come up at all, always suspect the shared key first.

6. IP Address and Address Space Issues

Azure VNet address space

Must not overlap with on-premises address space

Local Network Gateway address space

Must correctly define on-premises internal networks

Common problems

Overlapping IP ranges
Missing or incorrect address prefixes
Wrong public IP address of on-premises VPN device

Result

Tunnel may connect, but traffic does not flow
Some subnets cannot communicate

Exam tip

Overlapping IP ranges do not break the tunnel, but they break traffic flow.

7. Gateway Subnet Issues

What is the gateway subnet

A special subnet named GatewaySubnet
Required for the virtual network gateway

Common issues

Subnet name is incorrect
Subnet size is too small
Gateway subnet deleted or modified

Best practice (exam-relevant)

GatewaySubnet should be /27 or larger

Result of issues

Gateway creation or connection failures
Unstable VPN behavior

8. Routing and Traffic Flow Issues

Even when the VPN shows Connected, traffic may still fail.

Common routing problems

Missing routes on the on-premises VPN device
Incorrect address prefixes in Local Network Gateway
Forced tunneling misconfiguration
Custom route tables (UDRs) blocking traffic

Azure side routing checks

Ensure no UDR routes traffic to wrong next hop
Verify effective routes on the subnet

Exam tip

A Connected VPN does not guarantee successful data transfer.

9. VPN Type and SKU Compatibility Issues

VPN types

Policy-based VPN
Route-based VPN

Common problems

VPN type mismatch between Azure and on-premises device
Unsupported encryption or hashing algorithms
Unsupported IKE version

SKU-related issues

Selected gateway SKU does not support required features
Throughput limits reached

Exam tip

If a VPN device supports only policy-based VPN, Azure must be configured the same way.

10. Using Azure Diagnostic Tools (Very Important for Exam)

1. Azure Network Watcher

Used to:

Run VPN diagnostics
Check tunnel health
Identify misconfigurations

VPN diagnostics output

Shared key mismatch
IPsec policy mismatch
Connectivity failures

2. Connection Troubleshoot

Helps:

Test connectivity between Azure VM and on-premises endpoint
Identify where traffic is dropped

3. Azure Resource Health

Used to:

Check platform-level issues
Identify Azure outages affecting VPN gateways

Exam tip

If configuration is correct but VPN still fails, check Azure Resource Health.

11. Resetting the Virtual Network Gateway

What reset does

Restarts the gateway instances
Clears transient issues

When to use

Intermittent connectivity
Tunnel stuck in “Connecting” state

Important exam note

Resetting:

Does not delete configurations
Causes temporary downtime

12. Logging and Monitoring

Available logs

Gateway diagnostics logs
IPsec logs
Azure Monitor metrics

What logs help identify

Negotiation failures
Packet drops
Tunnel stability issues

Exam relevance

You may be asked which tool to use to identify a specific issue.

13. Typical Exam Scenarios and What to Think

Symptom	Likely Cause
VPN not connected	Shared key mismatch
VPN connected but no traffic	Routing or address space issue
Intermittent disconnections	Gateway performance or reset needed
Some subnets unreachable	Incorrect Local Network Gateway prefixes
VPN setup fails	Gateway subnet or SKU issue

14. Key Takeaways for AZ-700 Exam

Always check connection status first
Shared key mismatches are the most common failure
Overlapping IP ranges break traffic, not the tunnel
GatewaySubnet must exist and be properly sized
Network Watcher is the primary troubleshooting tool
“Connected” does not always mean “working”
Azure Resource Health helps identify platform issues

15. Exam Memory Checklist

Before selecting an answer, ask yourself:

Is the VPN tunnel up or down?
Are address spaces correct and non-overlapping?
Is the shared key the same on both sides?
Is routing configured correctly?
Is the gateway subnet valid?
Should Network Watcher diagnostics be used?