Problem on creating VPN gateway on existing Vnet

ZuperKC 26 Reputation points
2022-05-11T03:44:58.71+00:00

Hi there,

Below is the background of the existing and propose setup of the Azure Network.

Existing

<HK> ---S2S VPN---<VNET1> ---PEERINGS--- <VNET2>

  • <VNET1> is located at East Asia and <VNET2> is located at SouthEast Asia
  • There are workloads sitting on both <VNET1> and <VNET2> and access by user from HK
  • There is a peering between <VNET1> and <VNET2> with gateway transit

Propose

<HK> ---S2S VPN---<VNET1> ---PEERINGS--- <VNET2> ---S2S VPN--- <SG>

The goal of the propose design is to allow users from SG able to access the workloads on <VNET1> and <VNET2>. So, I'm trying to setup the S2S VPN between <SG> and <VNET2>. I got below error when I tried to create a VPN gateway on <VNET2>. Seems due to the <VNET2> have peering setup and using the remote network <VNET1> as a gateway.

Deployment failed

Deployment to resource group 'SG-RG' failed.

{

    "status": "Failed",

    "error": {

        "code": "ParentVnetAlreadyUsesRemoteGateways",

        "message": "Virtual network gateway can not be created since the virtual network /subscriptions/xxxxxx/resourceGroups/SG-RG/providers/Microsoft.Network/virtualNetworks/SG-VNET already uses remote gateways over peering /subscriptions/xxxxxx/resourceGroups/SG-RG/providers/Microsoft.Network/virtualNetworks/VNET2/virtualNetworkPeerings/VNET2_to_VNET1.",

        "details": []

    }

}

Does the above propose design works? And any recommendation?

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,368 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,131 questions
0 comments
Accepted answer
  1. GitaraniSharma-MSFT 46,931 Reputation points Microsoft Employee
    2022-05-13T10:42:30.273+00:00

    Hello @ZuperKC ,

    Please find the answers to your queries below:

    To setup the Azure network as you mentioned, do I need to add route table and network virtual appliance (NVA) to route traffic between Vnet1 and Vnet2?

    No, it is not required to add route table and NVA to route traffic between Vnet1 and Vnet2 if you setup the network mentioned by me as below.
    <HK> ---S2S VPN---<VNET1> ---S2S VPN--- <VNET2> ---S2S VPN--- <SG>
    Since it will be a direct S2S connection, you have to create a VPN gateway in Vnet2 and then create and configure the local network gateways manually. The local network gateway for each VNet treats the other VNet as a local site. You can also specify additional address spaces for the local network gateway to route traffic.

    Can I use the same virtual network gateway for SG-Vnet2 and Vnet1-Vnet2? Or I need to deploy an additional virtual network gateway on Vnet2 for the S2S VPN for Vnet1-Vnet2?

    Yes, you can use the same VPN gateway for SG-Vnet2 and Vnet1-Vnet2 connections as you can only have 1 VPN gateway in 1 Vnet. However, you can have multiple connections on a VPN gateway depending upon it's SKU.

    Is that possible to keep using peering but without gateway transit between Vnet1 and Vnet2 instead of S2S VPN and setup the static route and NVA on both Vnet1 and Vnet2?

    Yes, it is possible to keep using Vnet peering without gateway transit between Vnet1 and Vnet2 and setup NVA & UDR for traffic routing. But this setup would be a bit complex and difficult to manage as you would need to add routing for both to and fro traffic.

    Compare with the S2S VPN and Vnet peering, I understand the main difference is S2S VPN has encryption. From performance and cost perspective, which one will be better?

    You can find the comparison between Vnet peering and VPN in the below docs for more clarity:
    https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/vnet-peering
    https://azure.microsoft.com/en-in/blog/vnet-peering-and-vpn-gateways/

    The most cost effective option would be to add a S2S connection from the Vnet1 (East Asia Vnet) to your SG site. I understand that this will add some latency (about 34ms), but you don't need to pay for 2 VPN gateways and also you can continue using the Vnet peering with "gateway transit" option enabled. You can choose the option that best suit your requirement.

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. risolis 8,701 Reputation points
    2022-05-11T03:54:25.687+00:00

    Hello @ZuperKC

    Welcome to Microsoft Q&A Platform.

    Are you trying to set up something similar like the scenario below:

    https://medium.com/awesome-azure/azure-virtual-network-vnet-peering-overview-introduction-a795517bd83b#:~:text=VNet%20Peering%20Types%201.%20Regional%20VNet%20Peering%3A%20Connecting,communicate%20with%20resources%20in%20a%20different%20virtual%20network.

    BR,

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

  2. GitaraniSharma-MSFT 46,931 Reputation points Microsoft Employee
    2022-05-11T13:36:45.083+00:00

    Hello @ZuperKC ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you have a Vnet1 located in East Asia and Vnet2 located in SouthEast Asia and they are peered together with "Gateway transit" option enabled and now you would like to create a VPN gateway in Vnet2 to connect to another on-premise location and it fails with the following error "Virtual network gateway can not be created since the virtual network SG-VNET already uses remote gateways over peering VNET2/virtualNetworkPeerings/VNET2_to_VNET1.".

    Per design and as described in our official doc, each virtual network, including a peered virtual network, can have its own gateway. However, when you configure the gateway in the peered virtual network as a transit point to an on-premises network, the virtual network that is using a remote gateway can't have its own gateway. A virtual network has only one gateway. The gateway is either a local or remote gateway in the peered virtual network.

    So, your proposed setup (<HK> ---S2S VPN---<VNET1> ---PEERINGS--- <VNET2> ---S2S VPN--- <SG>) is not possible to implement.

    You would need to remove the "gateway transit" option to be able to create a VPN gateway in Vnet2.

    Since you would like to make sure that both on-premise sites are able to access both the Vnets, you can go with site to site VPN between Vnet1 and Vnet2 as below:
    <HK> ---S2S VPN---<VNET1> ---S2S VPN--- <VNET2> ---S2S VPN--- <SG>

    Refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal#site-to-site-ipsec

    If you can enable BGP, it would be much easier to setup as this can enable transit routing with Azure VPN gateways between your on-premises sites or across multiple Azure Virtual Networks.
    Refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-bgp-overview#transitrouting

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.