gateway transit and p2s vpn tunnel

containers 2 go 2 21 Reputation points
2022-09-29T19:33:30.69+00:00

Basic question about where point to site vpn tunnels terminate when using hub spoke vNet peering model with vpn gateway in the hub vnet. Does end user p2s tunnel terminate in region where hub vNet and vpn gateway exist or can user p2s tunnel terminate in spoke region where we have vNet peered to hub?

Reason I ask is regarding latency. Assume hub is in EastUs (along with vpn gateway) and Spoke is in India region. Would like to peer vnets in India and EastUS so we only have one vpn gateway but hoping the India user tunnel is terminated in India region where spoke vNet is located.

--------------------------------------

From Microsoft documentation:

In hub-and-spoke network architecture, gateway transit allows spoke virtual networks to share the VPN gateway in the hub, instead of deploying VPN gateways in every spoke virtual network

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,620 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,601 questions
0 comments No comments
{count} votes

Accepted answer
  1. KapilAnanth-MSFT 48,486 Reputation points Microsoft Employee
    2022-09-30T12:43:17.11+00:00

    Hi @containers 2 go 2 ,

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
    I understand that you would like to understand more about VPN gateway and Transit Routing for P2S users.

    When you have a VPN gateway in EastUS region, every P2S Tunnel will originate at Client laptop and terminate at EastUS only.
    So, for a client in India, to reach a peered Vnet in India,

    • First traffic will go via the P2S tunnel till the EastUS gateway.
    • Then it will use the Azure backbone (peering) to reach the resource in India region.
    • This is by design and we cannot modify this behavior.
    • This would add a considerable latency for users in India.

    To address your queries,

    1) Can you peer two vNets when each vNet has VPN gateway?

    • Yes, you can.
    • However, you cannot enable Transit routing with this.
    • So, I do not think this would help your scenario.

    2) When using hub spoke with vnet peering and gateway transit, where is end user p2s vpn tunnel terminated when user is in spoke region? any way to control this?

    • The P2S Tunnel always terminates at Hub region.
    • This is an expected behavior and we cannot modify this

    I hope this clarifies your queries. Let me know should you have any follow-up questions on this.

    Cheers,
    Kapil


2 additional answers

Sort by: Most helpful
  1. Jackson Martins 10,566 Reputation points MVP
    2022-09-29T22:51:08.193+00:00

    @containers 2 go 2
    If I understand correctly, you want the p2s vpn that connects in India to not communicate with East US right?
    You can use control this with static route on p2s and remove route to East US network.

    https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes

    I wrote an article (in Portuguese) showing how to control routes on client VPN
    https://4future.com.br/index.php/2022/08/18/bloqueando-acesso-internet-pelo-client-vpn-azure-point-to-site-p2s/

    Get in touch if you need more help with this issue.

    --please don't forget to "[Accept the answer]" if the reply is helpful--

    0 comments No comments

  2. containers 2 go 2 21 Reputation points
    2022-09-30T11:23:20.83+00:00

    I really appreciate the response and the link to your excellent article. It doesn't exactly address my question.

    Say all resources are in EastUS. No resources are in India.

    I want to use P2S to provide India located user VPN access to resources in EastUS Azure.
    I also want to save for latency of establishing that VPN connection from India users back to VPN gateway on hub vNet in eastus.

    I consider two approaches

    1. Use vNet Peering with gateway transit. Single VPN gateway on the hub eastus vNet which is peered with vNet located in India region. I understand India user can utilize VPN gateway on the eastus vNet. I assume his tunnel is terminated in the EastUS region. This means there will be significant latency associated with the VPN connection. I wasn't sure if the eastus VPN gateway, when on vNet which is peered with vNet in other region, allowed for India user p2S vpn to be terminated in India, solving vpn latency issue, while then also providing low latency connection over Azure backbone to resources on eastus vNet. Is there a way to have end user vpn tunnel terminate in india when using vpn gateway in eastus hub?
    2. I could use vpn gateway to do site to site from India vNet to eastUS vNet. This would definitely allow India user to have p2S connection to India vNet, thus solving latency problem. However, then user is using site to site vpn from india vNet to eastus vNet to access resources on eastus vNet. I also wasn't sure if you can peer two vNets when each vNet has a VPN Gateway?

    So, would really appreciate if you or anyone could answer two questions:

    • can you peer two vNets when each vNet has VPN gateway?
    • when using hub spoke with vnet peering and gateway transit, where is end user p2s vpn tunnel terminated when user is in spoke region? any way to control this?

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.