We have two SQL Managed Instances (MI-1 and MI-2) in two virtual networks (vNet-1 and vNet-2) in separate regions.

Global virtual network peering is configured between two virtual networks.

SQL Managed Instances are joined into Failover Group.
MI-1 is primary and MI-2 is secondary.
Failover Group’s endpoints are FG and FG.secondary respectively.

Both virtual networks have each own VPN gateways (vNet-gateway-1 and vNet-gateway-2).
Both VPN gateways have point-to-site VPNs (VPN-1 and VPN-2) configured, with “Azure Active Directory” authentication.

Issue:

When we connect to VPN-1, we can connect to MI-1 and FG local (internal) endpoints in SSMS.
But we cannot connect to MI-2 and FG.secondary local (internal) endpoints while connected to VPN-1. Error is:

A network-related or instance-specific error occurred while establishing a connection to SQL Server.
The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: TCP Provider, error: 0 –
A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.)
(Framework Microsoft SqlClient Data Provider)

Vice versa, when we are connected to VPN-2 – we can connect to MI-2 and FG.secondary local (internal) endpoints in SSMS.
But we cannot connect to MI-1 and FG local (internal) endpoints while connected to VPN-2.

Question:

How can we make MI-2 and FG.secondary be accessible over VPN-1, and/or make MI-1 and FG be accessible over VPN-2 ?
The ultimate goal is to make just one VPN be sufficient for connections to both MI-1 and MI-2 (FG and FG.secondary) in different regions.

Tried changing Network Security Groups’ settings for vNet-1 and vNet-2 to allow traffic from gateway subnets to virtual networks, but it did not work. Global virtual network peering is configured though, not sure if messing with NSGs is needed.