SD-WAN connection to Azure

Behrouz Azarm 1 Reputation point
2022-08-02T00:21:38.777+00:00

Hi Guys,

We want to setup an SD-WAN to Azure connection setup.
The CPE of this SD-WAN has been deployed as a NVA router in an azure environment which working fine and could reach to other IP spaces in on-prem addresses.
Since we wanted to route the traffic from this CPE in Azure environment to other Azure tenancy, so we create a site to site VPN connection between these two Azure environments. But traffic from the second Azure could not reach to the IP spaces beyond the CPE router (We can ping the CPE router from all subnets in second Azure tenancy but not other IP spaces behind the SD-WAN connection). I have tested connection with Azure Network troubleshooter and shows that traffic could be routed through the VPN channel but could not be routed to the SD-WAN on-prem IP addresses. is there something else we might need to setup to resolve this case? and Comments guys?

Regards
Bruce

Azure Network Watcher
Azure Network Watcher
An Azure service that is used to monitor, diagnose, and gain insights into network performance and health.
159 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. risolis 8,701 Reputation points
    2022-08-02T02:52:41.207+00:00

    Hello @Behrouz Azarm

    Thank you for posting this!

    I would like to provide my possible observations here as well as some question in order to get familiar with this case scenario.

    • Are the 2 different environments or compute resources on the same region/same subscription or different subscription?
    • Is this SD-WAN NVA FW is hosted as VirtualWAN environment?
    • Is this SD-WAN NVA FW is hosted as hub-and-spoke topology?

    -Lets suppose that you are using hub-and-spoke topology.... Are the spokes the 2 different environments stated before and the hub is hosting the SD-WAN FW?

    -Lets suppose that you are using hub-and-spoke topology... Did you configure your different environments peering's as it is shown below?

    Configure the peering connection in the hub to allow gateway transit.
    Configure the peering connection in each spoke to use remote gateways.
    Configure all peering connections to allow forwarded traffic.

    -Lets suppose that you are using VirtualWAN... Did you set up the IPsec VPN's against the VirtualWAN Hub?

    -Lets suppose that you are using VirtualWAN... Did you configure Hub routing preference feature?

    -Are you using UDR tables(User Defined Routes) or normal IP table (System routes default behavior)?

    -Are the compute resources having IP overlapping issues?

    -Are you using BGP on your scenario?

    -Any Network security group?

    -Any inter or intra security rule configure to permit traffic between security zones?

    Hope that info will be helpful to overcome this.

    Looking forward to your feedback,

    Cheers,

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.