already has UseRemoteGateways flag set to true

Question

already has UseRemoteGateways flag set to true

APTOS 221

Hello ,

this is my topology :

i have 3vnets

vnet A : is located in west europe
vnet B : is located in north europe with a virtual network gateway B
vnet C : is located in west india and with a virtual network gateway C

site to site connection between B and Onpremise Office B throught network gateway B
site to site connection between C and Onpremise Office C throught network gateway C

vnet A peered with vnet B with use remote gateways is enabled ==> so , ressources can connect from vnet A and Office B network and vice versa

i want do the same between vnet A adn Vnet C, but i have gotten this error when i try do peering as before with remote gateways is enabled

My Goal is ressources in vnet A can connect to Office C Network and vice versa

i got this error when i do peering between vnet A and vnet C with use remote gateways is enable

Failed to save virtual network peering 'vnetA_vnetC'. Error: Peering VNET_ _Peering cannot have UseRemoteGateways flag set to true, because another peering /subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.Network/virtualNetworks/VNET_xx/virtualNetworkPeerings/**VnetA_VnetB Peering **already has UseRemoteGateways flag set to true****.

So , when i tried to create the peering between vnet A and vnet C without remote gateways (disabled) .i can create the peering but the problem i can't connect from vnet A to Office C network

Please advice !!

Regards

Accepted answer

1 additional answer

Your answer

Answer 1

GitaraniSharma-MSFT 50,096 Microsoft Employee Moderator

Hello @APTOS ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you have a working Vnet peering between Vnet A and Vnet B with gateway transit option enabled and now when you are trying to configure Vnet peering between Vnet A and Vnet C with gateway transit option, it is failing with following error "Error: Peering VNET_ _Peering cannot have UseRemoteGateways flag set to true, because another peering already has UseRemoteGateways flag set to true".

Per design and as described in our official doc, each virtual network, including a peered virtual network, can have its own gateway. However, when you configure the gateway in the peered virtual network as a transit point to an on-premises network, the virtual network that is using a remote gateway can't have its own gateway. A virtual network could have only one gateway, the gateway should be either local or remote gateway in the peered virtual network.
Refer : https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview#gateways-and-on-premises-connectivity

Below is your current setup and limitation:

Vnet A <---peering with remote gateway enabled---> Vnet B (S2S to on-prem)

The above peering implies that Vnet B has a local VPN gateway and Vnet A now has a remote VPN gateway.
Since Vnet A already has a remote gateway i.e. the VPN gateway of Vnet B, it cannot have another remote gateway (in your case, that would be the VPN gateway of Vnet C). Hence, you won't be able to peer Vnet A with Vnet C using the remote gateway option.

In a Hub and spoke architecture, the hub virtual network acts as a central point of connectivity to many spoke virtual networks. You can enable cross-premises scenarios by using the hub to connect to your on-premises networks and the spoke virtual networks peer with the hub.
Refer: https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli
https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/hub-spoke-network-topology

But in your case, there are 2 hub Vnets and 1 spoke Vnet, which will not work for on-premise transit connectivity.

So, to get your setup to work, you would need to make the below changes:

Add both the on-premises sites to a single VPN gateway in one of the Vnets and make it a hub Vnet.
Remove the other VPN gateway
Peer the 2 Vnets (without any VPN gateways) to the hub Vnet as spokes with remote gateway option enabled.

Kindly let us know if the above helps or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

APTOS 221 Reputation points

2023-01-03T15:18:07.803+00:00

hello @GitaraniSharma-MSFT

i appreciate your answer. I thank you

So do you confirm that should design my network as below ?

My issue with this topology is network location

for example a user in Office C (India) to connect to ressource invNet C ( west india ) , should go across vNet A ( Hub in this case ,is located in west europe ) ==> Network Latency / Bad bandwith optimization !

what do you think ?

for my case should create vWAN ? or just vNet hub do the necessary ?
msrini-MSFT 9,291 Reputation points Microsoft Employee

2023-01-03T15:46:05.877+00:00

When you create a hub and spoke model, all the traffic will flow via Hub VNET. So place your hub in a optimized location and have a S2S with the On-Premises.

Place your VNET B, C in the same location as that of VNET A to minimize the network latency.

Regards,
Karthik Srinivas
APTOS 221 Reputation points

2023-01-03T15:50:40.68+00:00

Thanks @msrini-MSFT

i can't place all my vnets in the same location .i have to find the best way for my case with the given locations!

I hope find more suggestions
APTOS 221 Reputation points

2023-01-04T08:09:03.387+00:00

hello ,

any ideas ?

Regards
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-01-04T09:09:21.007+00:00
Hello @APTOS ,

Apologies for the delay in response.

Yes, you should design your network as per the image you shared.

If this network topology is not suitable for you due to the network location/latency and you cannot move the other Vnets to any other region, then you have 3 options:

Use Virtual WAN (Standard type) for Inter-hub and VNet-to-VNet transiting through the virtual hub features.

Add another VPN gateway in Vnet A and disable all the Vnet peerings. Instead create site-to-site (IPsec) connections between the VPN gateways.
Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal#site-to-site-ipsec
The local network gateway for each VNet treats the other VNet as a local site. When you configure Site to Site VPN connection between the 2 Vnets, you have to create Local Network Gateway on both the sides.

Add another VPN gateway in Vnet A and disable all the Vnet peerings. Instead create Vnet-to-Vnet connections between the VPN gateways and enable BGP on all V2V and S2S connections for transit routing between your on-premises networks and multiple Azure VNets.
Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-bgp-overview#transitrouting
https://learn.microsoft.com/en-us/azure/vpn-gateway/bgp-howto#part-3-configure-bgp-on-vnet-to-vnet-connections

Regards,
Gita
APTOS 221 Reputation points

2023-01-04T13:01:40.17+00:00

Hello @GitaraniSharma-MSFT

Thanks .i will choose the second option in this case .could you confim

so Office C ----------S2S------------vnetC-------------S2S---------vnetA if applied ( means user in office C can connect to vnet A and vice versa )

could you confirm please ?
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-01-05T05:08:20.16+00:00
Hello @APTOS ,

Yes, if you apply the following setup Office C<------>S2S<------>VnetC<------>S2S<------>VnetA, user in office C can connect to Vnet A and vice versa.

But there are some configurations that you need to add manually for the above to work.

Create VPN gateway in Vnet A

Create and configure the local network gateways manually on both Vnet sides (Vnet A & Vnet C) as below:

LNG of Vnet A should have address space for both Vnet C and on-prem office C

LNG of Vnet C should have address space for Vnet A

Create Site to Site (IPSec) connection between the 2 Vnets.

Then go to the VPN device of Office C and add address space of Vnet A

The above config will make sure that office C has a route to Vnet A and Vnet A has a route to Office C.

Similarily, you have to make changes between Vnet A and Vnet B after removing the existing Vnet peering.
VnetA<------>S2S<------>Vnet B<------>S2S<------>Office B

The whole end setup will look like the below:

Office C<------>S2S<------>VnetC<------>S2S<------>VnetA<------>S2S<------>Vnet B<------>S2S<------>Office B

Regards,
Gita
APTOS 221 Reputation points

2023-01-05T13:07:06.77+00:00

Hi @GitaraniSharma-MSFT

i have tested this solution and it's worked .thank you
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-01-05T13:13:46.517+00:00

Hello @APTOS ,

Happy to help!

Glad to hear that the provided solution worked for you.

Regards,
Gita
Timothy Johnston 0 Reputation points

2023-05-18T18:10:53.4166667+00:00

Azure networking is very.... very bad

Answer 2

msrini-MSFT 9,291 Microsoft Employee

Hi,

You can connect vnet A with either vnet B or C with the remote gateway flag.

You will need to come up with Hub and spoke architecture where you will have single vnet which connects to On premises and all spokes can connect to hib with use remote gateway flag.

Regards,
Karthik Srinivas

Share via

already has UseRemoteGateways flag set to true

1 additional answer

Your answer