We have a VNET (let's call it VN_MAIN ) that is configured to have a S2S VPN connection to our on-premise network. The VMs deployed within subnets of VN_MAIN are reachable from on-premise.

What I'm trying to do is to create another VNET ( VN_OTHER ) and make sure that you can reach on-premise from VN_OTHER and vice-versa, through VN_MAIN acting as a hub.

VN_MAIN has an address space of 10.123.128.0/20 (not created by me). I needed a /16 address space for my new VNET and wanted to avoid overlap, so I created VN_OTHER with address space 10.230.0.0/16 .

Taking inspiration from the hub-spoke topology described here, I've created a peering on each VNET:

On VN_MAIN : main-to-other-peering to VN_OTHER , forwarded traffic allowed + gateway transit allowed

: to , forwarded traffic allowed + gateway transit allowed On VN_OTHER : other-to-main-peering to VN_MAIN , forwarded traffic allowed + use remote gateways checked

Afterwards, to test this, I launched 2 linux machines: machine-1 on VN_MAIN (subnet 10.123.129.0/24 ) and machine-2 on VN_OTHER (subnet 10.230.0.0/16 = the whole space).

According to my understanding of the article I linked, this should be enough for what I'm trying to accomplish. However, it doesn't work properly. Here are the pings I attempted:

machine-1 to machine-2 : OK

to : OK machine-2 to machine-1 : OK

to : OK my-laptop to machine-1 : OK

to : OK machine-1 to my-laptop : OK

to : OK my-laptop to machine-2 : NOT OK

to : NOT OK machine-2 to my-laptop : NOT OK

So, the peering between the VNETs works, but the gateway transit does not, even though I believe I've done everything I was supposed to do to allow it. I am positive this is not an issue with any NSG rules.

Can anyone tell if there's something I am missing here please?