Short description: From a VM deployed on the Azure virtual network, I can reach my on-premises computer without problem. It does not work the other way round - I have not succeeded to make any connection.
Detailed description:
I have purchased and deployed a supported router device (Juniper SRX100) to act as an on-premises gateway to Windows Azure. I have then created a site-to-site connection in Azure portal. It generated a script for router configuration. I replaced the placeholders as needed. It did not work, because it was referring to zones named "trusted" and "untrusted", but the out-of-the box router configuration was using zones named "LAN" and "WAN", but I have then edited the script in the best way I could (I know practically nothing about Juniper OS) and it was then accepted by the router. I connected the gateway in the Azure portal - and it has connected successfully. I can also see the data in/data out statistics on the virtual network slowly increasing.
I have then created a first VM on the virtual network. I have used the "Windows Server Essentials Experience" from the gallery. It has successfully provisioned, and I can connect to it over the Internet using the RDP file provided by the portal.
From this VM (e.g. using RDP and running various apps), I can access the public Internet, and I can also access the computers on my on-premises network.
However, I cannot access this VM *from* my on-premises network. I know that "ping" (ICMP) is not allowed through, but I have tried several services, such as RDP, or the Web (port 80), and they don't work. I have tried TRACERT to the VM, and I can see it goes a lot of hops "somewhere" to Microsoft, so that looks like a proper route - also considering that connections from Azure to on-premises do work, which requires return packets too, so there are multiple indications that the packets make it their way in this direction, at least partially.
I originally suspected a firewall or a configuration issue on the Azure VM, but I think I have ruled that out: Turning off the Windows Firewall in the VM does not help. And, I then created a second VM in Azure on the same virtual network, and from this second VM I can e.g. use the Internet Explorer and browse to the first VM and see the default page of its IIS, without problems.
I now suspect that this may be some issue deep inside the router configuration (maybe some security problem preventing Azure to let in the incoming packets?), but I cannot tell what it is. And, I have tried to do everything according to the Microsoft recommendation - including the device choice.
Any ideas? Thank you in advance...