Site-2-Site between 2 Azure VNETs

Antonio Rostaing 81 Reputation points
2020-06-10T15:40:00.183+00:00

Configuring a VNet-to-VNet connection is the preferred option to easily connect VNets if you need a secure tunnel using IPsec/IKE. In this case the documentation said that traffic between VNEts is routed through the Microsoft backbone infrastructure.

According to the documentation, a Site-to-Site connection is also possible:

If you are working with a complicated network configuration, you may prefer to connect your VNets using the Site-to-Site steps, instead the VNet-to-VNet steps. When you use the Site-to-Site steps, you create and configure the local network gateways manually.

In this case we have control over the configuration of the virtual local network address space, but we need expose public IPs. Documentation don´t says nothing about where the traffic goes (azure internal or public internet)

My question is, in this scenario, S2S between VNets, the traffic is routed through azure infrastructure as in the case of VNet-to-VNet or the comunication is done through public internet?

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,368 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,132 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2020-06-12T13:43:52.787+00:00

    Hi Antonio,

    Do you require IPSEC communication between the VNets? And are the VNets in different Azure Tenants or same?

    The reason I ask is because Vnet peering for example is much faster and easier, but it requires the Vnets to be in the same Azure AD in a multiple subscription scenario or in the same subscription.

    If IPSec is required you would need the Site-to-Site approach. The Public IPs are public but since it's all Azure and probably in the same region it will run over the Azure Backbone. But still public internet.

    Regards
    Pascal

    1 person found this answer helpful.
  2. TravisCragg-MSFT 5,676 Reputation points Microsoft Employee
    2020-06-16T20:45:48.553+00:00
    1 person found this answer helpful.
    0 comments
  3. Malleswara Reddy, G 1,631 Reputation points
    2020-06-10T15:52:06.607+00:00

    Hi,

    S2S traffic is routed public internet. if you are looking for some exclusive line, you will need to take express route.

    https://learn.microsoft.com/en-us/azure/expressroute/expressroute-routing

    You can also have a look at the private link, but it is still in preview.

    https://learn.microsoft.com/en-us/azure/private-link/private-link-overview