Having created a “developer desktop” VM within my Azure virtual network (a Windows SSTP-based VPN enabled server pool), the whole point is to connect the VM to the local LAN – and its “private” cloud servers. This includes enabling the visual studio client on the desktop to access the source files server, known as TFS – that is hosted on a host other than my client PC, in a different subnet furthermore. And, my client PC connects to the the subnet itself over a VPN, using the Cisco AnyConnect/ASA (SSL over UDP) tool chain..
Being a client to site VPN (vs. site to site), the remote gateway does not inject server side routes mapping my various subnets. There is one and one only: the network of 1 host: my connecting PC. To make the solution work, I added ip port forwarding to the PC, so it exposes a port on its binding address to which the visual studio port can reach (over the windows VPN). This in turn captures layer 4 PDUs and forwards them to the true server on the subnet, unreachable directly, using local knowledge that allows the segment forwarding process.
This gets us to