Azure ExpressRoute & S2S VPN - Coexistence & Components

Question

Hi everyone,

I had another thread open with a similar context but it got a bit lengthy as someone else posted on it :). Is it supported and a best practice to allow an ExpressRoute Virtual Network Gateway (VNG) and a VPN based VNG on the same, default subnet "GatewaySubnet"? This VNet subnet would have the same Azure route table as well. Or is this not the way to do it?

The idea would be that I'd have both an ExpressRoute and S2S VPN connected to Azure via hub network via (2) separate Virtual Network Gateways, and then follow this path for traffic - ER/S2SVPN Gateway in hub vnet > UDRs pointing to IP of Azure Firewall (in hub vnet) for all spoke vnet traffic. And then the reverse routing path would be true for any resources that need to connect to on-premise from Azure. Does this make sense? The ExpressRoute and S2S VPN might utilize BGP but I've read mix things about the requirement to getting BGP working with Azure with an Azure Firewall in the architecture. Thank you!

Answer 1

Hi @mr58 ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you are interested in using ExpressRoute-VPN Co-existence along with Azure Firewall.

Your requirement is documented here :
https://learn.microsoft.com/en-us/azure/firewall/tutorial-hybrid-ps
This will work with both ExpressRoute and VPN Gateway

You have to use a combination of both BGP and UDR to achieve this.

Please let us know should there be any follow-up queries on this.

Cheers,
Kapil.

----------------------------------------------------------------------------------------------------------------

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.