So you have successfully established an Azure Point-to-Site VPN, and you’re trying to Ping or RDP to Azure VMs. Darn! It doesn’t work. Courtenay Bernier has some insider information on this sticky problem.
“IMPORTANT NOTE regarding existing virtual machines: As of the current release you must create new VMs and attach to the VPN affinity group during the Azure VM setup process. Attaching pre-created VMs to a new affinity group is not supported at this time. If you already have VMs created, save the VM disk(s) and recreate the VM using the saved VM disk and add it to the VPN affinity group during the Azure VM setup process.”
Many thanks to Bernier; his TechNet article is the only place I have seen this weird limitation mentioned at all. By the way, his article is also an excellent walk-through guide for Azure Point-to-Site VPN configurations.
In other words, the Microsoft Azure design team has had brain fade. Unlike the classic, logical way of setting up remote access to an on-prem server AFTER the server is installed, they now want you to deploy your VPN first and spin up the VMs later. What can I say! I just wish they would mention this limitation somewhere on the Azure New VM Wizard page.