I have functioning ER private peering. Want to have VPN over ER with private IPs. I understand that i need a virtual network gateway of type VPN in the same gateway subnet with private IP option enabled. 1- The documentation does not say anything about Local network gateway ? 2- and BGP is supposed to be disabled in this configuration ? https://learn.microsoft.com/en-us/azure/vpn-gateway/site-to-site-vpn-private-peering#traffic-from-azure-to-on-premises-networks @SaiKishor-MSFT

Hi @Mateen Baig , Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well. I understand that you would like to understand few details about Site-to-Site VPN connection over ExpressRoute Private Peering. 1 . The documentation does not say anything about Local network gateway? LNG is required for this configuration to define the IP of the OnPrem side Router/Firewall However, in the OnPrem Device IP (LNG IP) , you will be using the Private IP of the Router/Firewall 2 . BGP is supposed to be disabled in this configuration? No. Nothing like that. In fact, it is recommended to use BGP here as well, just make sure a more specific range is advertised over this S2S Tunnel so traffic does not prefer ExpressRoute. Refer: 1 . Traffic from on-premises networks to Azure 2 . Traffic from Azure to on-premises networks Thanks, Kapil ---------------------------------------------------------------------------------------------------------------- Please don’t forget to close the thread by clicking " Accept the answer " wherever the information provided helps you, as this can be beneficial to other community members.

I have configured two VPN connections over expressroute private peering with private IPs using BGP. VPN connection : From routers 1 loopback1 & router 2 loopback 2 to Azure VPN gateway private IP X.X.X.6. BGP: From routers 1 loopback1 & router 2 loopback 2 to Azure VPN gateway BGP peer IP X.X.X.62. BGP is configured making router 2 backup using BGP as-path. Expressroute interfaces are in its own VRF only allowing only VPN traffic through. more specific routes are advertised on though VPN. Failover from router 1 to 2 and back works fine with express route. Failover works fine with Express route and a VPN connection. Failover works fine with Express route redundant connections also. There is data loss when redundant VPNs are connected Issue is that when both the VPN are connected there is packet loss from Azure to on-prem. It looks like some traffic is sent on backup tunnel event tough BGP as-path is configured. @KapilAnanth-MSFT any suggestions ?

IPsec vpn over express route

Accepted answer

KapilAnanth-MSFT 35,246 Reputation points Microsoft Employee

2022-12-09T05:52:39.103+00:00
Hi @Mateen Baig ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you would like to understand few details about Site-to-Site VPN connection over ExpressRoute Private Peering.

1 . The documentation does not say anything about Local network gateway?

LNG is required for this configuration to define the IP of the OnPrem side Router/Firewall

However, in the OnPrem Device IP (LNG IP) , you will be using the Private IP of the Router/Firewall

2 . BGP is supposed to be disabled in this configuration?

No. Nothing like that.

In fact, it is recommended to use BGP here as well, just make sure a more specific range is advertised over this S2S Tunnel so traffic does not prefer ExpressRoute.

Refer:
1 . Traffic from on-premises networks to Azure

2 . Traffic from Azure to on-premises networks

Thanks,
Kapil

----------------------------------------------------------------------------------------------------------------

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Please sign in to rate this answer.
Mateen Baig 71 Reputation points

2022-12-09T11:14:37.537+00:00

Thankyou for response. Then the screenshot in https://learn.microsoft.com/en-us/azure/vpn-gateway/site-to-site-vpn-private-peering#traffic-from-azure-to-on-premises-networks is a bit confusing where BGP is set to disabled?

1- VPN BGP would be established between tunnel ip in vpn configuratoin in on-prem device and private ip which pops up in Azure LNG ?
2- I understand how to advertise routes from on-prem to Azure but how do i advertise from Azure side express route circuit? it seems that all vnets are advertised automatically to on-prem express route bgp neighbour.

KapilAnanth-MSFT 35,246 Reputation points Microsoft Employee

2022-12-09T12:45:46.053+00:00

Hi @Mateen Baig ,

Yes, the default documentation appears to be using BGP static routing instead of BGP.

If you would require more information on how to configure BGP on a VPN Gateway,
Refer: How to configure BGP on Azure VPN Gateways

1- VPN BGP would be established between tunnel ip in vpn configuratoin in on-prem device and private ip which pops up in Azure LNG ?

I didn't understand this statement

S2S Tunnel would be established between Private IP of the VPN Gateway and the private IP of your OnPrem Firewall

BGP session would be established between the Azure BGP Peer IP Address (for Azure side) and a BGP IP which you configure on your Firewall.

You have to update this IP in the LNG so Azure knows what BGP IP it should establish a Tunnel with

On the Gateway

On the LNG. This should be defined by you in your Firewall

2 . I understand how to advertise routes from on-prem to Azure but how do i advertise from Azure side express route circuit? it seems that all vnets are advertised automatically to on-prem express route bgp neighbour.

You cannot influence BGP routing from Azure End.

What is required here is that you have to configure the OnPrem Router/Firewall to make sure it always prefers Azure VPN Path over the Azure ExpressRoute Path

I hope this makes it clear.

Cheers,
Kapil

Mateen Baig 71 Reputation points

2022-12-30T13:00:07.597+00:00

I have VPN over expressroute private peering running with one VPN tunnel from primary router. How do i configure VPN redundancy ? I have two onprem routers connected to service provider for express route. If primary router is down my backup router will take over with express route without VPN.
Documentation says to create one local network gateway for each on-prem device and one connection to each local network gateway.
1- Can this documentation be used for VPN over ER with private IPs ?
2- It says traffic will be forwarded to these tunnels simultaneously and use ECMP. How will it work incase i only want traffic to flow to backup router when primary is down ?

KapilAnanth-MSFT 35,246 Reputation points Microsoft Employee

2023-01-02T03:23:40.697+00:00

Hi @Mateen Baig ,

1- Can this documentation be used for VPN over ER with private IPs ?
Yes, you can use VPN Redundancy using private IPs as well.

2- It says traffic will be forwarded to these tunnels simultaneously and use ECMP. How will it work incase i only want traffic to flow to backup router when primary is down?

Technically, when Primary is down, the entire BGP in that tunnel will be down.

Which means, no routes will be advertised over the tunnel and as a result, no traffic will flow through this particular tunnel

If you would like to prefer one tunnel over the other, while both of them are up, you should configure your OnPrem device to prioritize that particular tunnel.

You can achive the same from Azure side by using AS Path prepending or advertising a shorter range (more specific address space).

Cheers,
Kapil

----------------------------------------------------------------------------------------------------------------

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Mateen Baig 71 Reputation points

2023-03-20T12:15:24.1933333+00:00

Thankyou for reply. One more thing i am not able to understand. I have vpn 01 and vpn 02 connected over expressroute. vpn 02 is connected through backup router with as path prepend. Both VPNs are using same VPN gateway private IP. I see VPN GW's same public IP address in the effective routing tables. Traffic from the resources in the VNet is sent to public IP of the VPN gateway and then it is sent to next hop with better path in the BGP routing table ? How can i make sure that no traffic is sent to backup tunnel because some of the resources are having packet drops. f.eks event hub sending logs to on-prem destination.

KapilAnanth-MSFT 35,246 Reputation points Microsoft Employee

2023-03-23T12:53:31.34+00:00

Hi @Mateen Baig ,

Wrt,

1.I see VPN GW's same public IP address in the effective routing tables.

This is expected.

2.Traffic from the resources in the VNet is sent to public IP of the VPN gateway and then it is sent to next hop with better path in the BGP routing table

Not exactly. Traffic from the resources in the VNet is sent to the VPN gateway, but not via Public IP. This makes use of the VNet and the traffic is entirely private.

The Public IP is listed to identify the VPN Gateway to which the traffic is supposed to go.

And then traffic goes to the tunnel with a more narrow prefix and a shorter AS Path

3.How can i make sure that no traffic is sent to backup tunnel

Azure respects BGP Path prepending and traffic is sent via the tunnel with shorter AS Path.

Currently, we cannot test which particular Tunnel the traffic is going, atleast from Portal side directly.

The best way is to run a packet capture on both the tunnels and make sure traffic is actually passing through preferred tunnel

Packet Capture

The above can be done either at Azure End or from OnPrem VPN devices.

From Azure end, you can https://learn.microsoft.com/en-us/azure/vpn-gateway/packet-capture

Make sure you go to the Connection object and start the Packet capture

Thanks,

Kapil

Please Accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer.

Mateen Baig 71 Reputation points

2023-03-24T19:08:13.35+00:00

i was missing this part "traffic goes to the tunnel with a more narrow prefix" .it is working as intended,
Sign in to comment

IPsec vpn over express route

1 additional answer