Share via

Can I connect a virtual hub to an VNet with VPN Gateway?

Matthijs de Beer 61 Reputation points
2022-09-16T08:38:04.293+00:00

For my current assignment we planning to migrate from a traditional hub/spoke model to VWAN. The current hub VNet contains a site-to-site VPN gateway which allows connectivity to on-prem.
Our plan is to create a VNet Connection between the current hub and the VWAN virtual hub, similar to the scenario explained on this docs page. This way, the spokes can be moved from the hub to the virtual hub and still be able to connect to on-premise via the VPN gateway in the hub VNet:

241831-vwan-migratie-test-cases.png

However, when I try to create the connection between the hub and the virtual hub, I get the following error: 

Failed to add peering <peering resource id>. Error: HubVirtualNetworkConnection <connection resource id> cannot have AllowRemoteVnetToUseHubVnetGateways flag set to true, because remote virtual network <hub VNet resource id> already has a gateway <VPN gateway resource id> configured. Remove gateway from the remote virtual network and retry

When creating the VNet connection, I don't have any option to set the AllowRemoteVnetToUseHubVnetGateways flag. From looking at the Microsoft Learn (link), I do see that this was an option in the past but that the property has been deprecated. So my question is: is it possible to connect a virtual hub to a VNet that already has a VPN gateway configured?

Azure Virtual WAN
Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
201 questions
Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,451 questions
0 comments
Accepted answer
  1. GitaraniSharma-MSFT 49,391 Reputation points Microsoft Employee
    2022-09-16T12:26:28.493+00:00

    Hello @Matthijs de Beer ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like know if it is possible to connect a vWAN virtual hub to a VNet with existing VPN Gateway.

    It is not possible to create a VNet Connection between your current hub and the VWAN virtual hub, because in order to connect a Vnet to a virtual hub, the remote virtual network can't have a gateway. In your case, there is a VPN gateway deployed in the hub Vnet, so it cannot be connected to the Virtual hub directly. This is by design.
    Refer : https://learn.microsoft.com/en-us/azure/virtual-wan/howto-connect-vnet-hub

    However, it is possible to set up connectivity from an Azure VPN Gateway (virtual network gateway) to an Azure Virtual WAN (VPN gateway) using a site-to-site connection. Creating a connection from a VPN Gateway (virtual network gateway) to a Virtual WAN (VPN gateway) is similar to setting up connectivity to a virtual WAN from branch VPN sites.

    Below are the steps to connect a VPN Gateway (virtual network gateway) to a Virtual WAN using site-to-site VPN connection:

    • Create a Virtual WAN, if you don't have one.
    • Create a virtual hub containing the Virtual WAN VPN gateway, if it doesn't exist.
    • Configure your already existing Vnet VPN gateway to enable Active-active mode setting as this is needed for the connection to work.
    • Then create two Virtual WAN VPN sites that correspond to the 2 IP addresses of the virtual network gateway you have in your Vnet.
    • Next, connect both sites to your virtual hub using the steps in the following doc: https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-site-to-site-portal#connectsites
    • Download the VPN configuration file for each of the sites that you created in the VWAN.
    • Then create two Azure VPN local network gateways using the configuration files downloaded from the previous step.
    • Create 2 connections between the VPN Gateway local network gateways and virtual network gateway. On the Configuration page, for BGP, select Enabled.
    • Then you can test connectivity between the two virtual machines (one on the side of the VPN Gateway/virtual network gateway, and one in a virtual network for the Virtual WAN) and you should be able to ping one VM from the other, unless there are any firewalls or other policies blocking the communication.

    Refer : https://learn.microsoft.com/en-us/azure/virtual-wan/connect-virtual-network-gateway-vwan
    https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-site-to-site-portal#hub
    https://learn.microsoft.com/en-us/azure/virtual-wan/howto-connect-vnet-hub

    Kindly let us know if the above helped or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest