VPN and ER VNET Gateway Coexistence

Question

VPN and ER VNET Gateway Coexistence

Rice Wu 26

Hi
I have an existing S2S VPN w/o BGP between Azure Hub VNET and on-premise Paloalto. And I want to create an ER VNET gateway/connection with on-premise Paloalto and cutover the traffic from S2S VPN to ER in future. I'm wondering if I can keep the existing "no BGP" setting for S2S VPN connection? Or it has to be changed to BGP to coexist with ER connection?
Thanks.

Cheers,
Rice

Ravi Kanth Koppala 3,391 Reputation points Microsoft Employee Moderator

2022-12-19T03:25:35.887+00:00

@Rice Wu ,

It is possible to use a VPN connection with Azure ExpressRoute (ER) and keep the existing "no BGP" setting for the VPN connection. However, to make use of both connections at the same time, you will need to set up some form of traffic steering to ensure that traffic is routed over the desired connection.

One way to do this is to use the Azure Virtual WAN feature, which allows you to create a virtual network hub and connect it to multiple on-premises sites and Azure VNets using a variety of connection types, including S2S VPN and ER. You can then use routing rules to control which connection is used for different types of traffic.

Alternatively, you could use a software-defined WAN (SD-WAN) solution to manage traffic routing between the VPN and ER connections. Many SD-WAN vendors offer integration with Azure, allowing you to easily drive traffic routing between multiple connections.

In either case, it is important to carefully plan and test your traffic steering configuration to ensure that it is working as expected and to minimize the risk of disruptions to your network.

----------

Please "Accept as Answer" and Upvote if any of the above helped so that it can help others in the community looking for remediation for similar issues.
Rice Wu 26 Reputation points

2022-12-19T08:44:40.367+00:00

@Ravi Kanth Koppala Thanks for the reply. The only coexistence document I've seen is to use BGP on both Internet-based S2S VPN and ER connection. And by default, ER connection is preferred over S2S VPN if they both receive the same routes from on-premise. If I keep the no-BGP setting for the existing Internet-based S2S VPN, from on-premise firewall side, I can control the path selection by giving a higher AD to the static routes pointing at Internet S2S VPN connection compared with the BGP AD route received from ER connection, so that ER connection is preferred from on-premise side. HOWEVER, from Azure virtual network gateway side, is there a clear document saying the ER connection with BGP is "by default" preferred to the "non-BGP" S2S VPN connection?

Accepted answer

0 additional answers

Your answer

Ravi Kanth Koppala 3,391 Reputation points Microsoft Employee Moderator

2022-12-19T03:25:35.887+00:00

@Rice Wu ,

It is possible to use a VPN connection with Azure ExpressRoute (ER) and keep the existing "no BGP" setting for the VPN connection. However, to make use of both connections at the same time, you will need to set up some form of traffic steering to ensure that traffic is routed over the desired connection.

One way to do this is to use the Azure Virtual WAN feature, which allows you to create a virtual network hub and connect it to multiple on-premises sites and Azure VNets using a variety of connection types, including S2S VPN and ER. You can then use routing rules to control which connection is used for different types of traffic.

Alternatively, you could use a software-defined WAN (SD-WAN) solution to manage traffic routing between the VPN and ER connections. Many SD-WAN vendors offer integration with Azure, allowing you to easily drive traffic routing between multiple connections.

In either case, it is important to carefully plan and test your traffic steering configuration to ensure that it is working as expected and to minimize the risk of disruptions to your network.

----------

Please "Accept as Answer" and Upvote if any of the above helped so that it can help others in the community looking for remediation for similar issues.
Rice Wu 26 Reputation points

2022-12-19T08:44:40.367+00:00

@Ravi Kanth Koppala Thanks for the reply. The only coexistence document I've seen is to use BGP on both Internet-based S2S VPN and ER connection. And by default, ER connection is preferred over S2S VPN if they both receive the same routes from on-premise. If I keep the no-BGP setting for the existing Internet-based S2S VPN, from on-premise firewall side, I can control the path selection by giving a higher AD to the static routes pointing at Internet S2S VPN connection compared with the BGP AD route received from ER connection, so that ER connection is preferred from on-premise side. HOWEVER, from Azure virtual network gateway side, is there a clear document saying the ER connection with BGP is "by default" preferred to the "non-BGP" S2S VPN connection?

Answer 1

Hello @Rice Wu ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you have an existing S2S VPN without BGP between your Azure VNET and on-premises and you would like to create an ExpressRoute VNET gateway/connection with on-premises and cutover the traffic from S2S VPN to ER in future. And you would like to know if you can keep the existing "no BGP" setting for S2S VPN connection or change it to use BGP to coexist with ExpressRoute connection.

You can setup VPN and ExpressRoute coexistence scenario with both "BGP" and "no BGP" setting for S2S VPN connection.
In both the cases, ExpressRoute will be preferred over Site-to-Site VPN when both routes are the same. However, if specific routes are added in the Local Network Gateway of the VPN, then Azure will use the longest prefix match to choose the route towards the packet's destination as per Azure's default route selection algorithm.
Refer : https://learn.microsoft.com/en-us/azure/expressroute/how-to-configure-coexisting-gateway-portal#configure-a-site-to-site-vpn-as-a-failover-path-for-expressroute
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview#how-azure-selects-a-route

It is not mandatory to use VPN with BGP in a co-existence setup. You can use BGP if needed.
Refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#can-i-use-bgp-for-s2s-vpn-in-an-azure-expressroute-and-s2s-vpn-coexistence-configuration

The benefits of using VPN with BGP in a co-existence setup are below:

Easy management of the routes between VPN and ExR.
You can configure AS path prepending to influence routing decisions between VPN and ExpressRoute.
Refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#does-azure-vpn-gateway-honor-as-path-prepending-to-influence-routing-decisions-between-multiple-connections-to-my-on-premises-sites
You can enable transit routing between ExpressRoute and Azure VPN by setting up Azure Route Server.
Refer : https://learn.microsoft.com/en-us/azure/expressroute/how-to-configure-coexisting-gateway-portal#to-enable-transit-routing-between-expressroute-and-azure-vpn

Kindly let us know if the above helps or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Rice Wu 26 Reputation points

2022-12-20T20:45:03.93+00:00

@GitaraniSharma-MSFT Awesome! Thanks for the confirmation!

Share via

VPN and ER VNET Gateway Coexistence

0 additional answers

Your answer