Azure Network Advanced Solution

Question

Azure Network Advanced Solution

René Braga 0

Hello There, is someone that already redirected the traffic coming by VPN Ipsec to another side by ExpressRoute

The Flow IS ( On-Prem1) <IPSEC>(Azure)<ExpressRoute>(On-prem2)

The traffic From On-Prem1 to Azure Works Fine , and the traffic from Azure to On-prem2 also works,, the last needed solution is the traffic from On-prem1 to OnPrem2 By Azure

thanks in advanced any help

Konstantinos Passadis 19,681 Reputation points MVP

2023-05-29T19:03:06.0833333+00:00

Hello @René Braga !

Welcome to Microsoft QnA!

I understand you need On Premises Nets to reach each other via Azure

You have managed to do this from one side

We have no feedback on the Configuration so we can only make suggestions

If the ip addresses between OnPrem1 and OnPrem2 are overlapping you need NAT implementation

https://learn.microsoft.com/en-us/azure/nat-gateway/nat-gateway-resource

Verify your routing configuration

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview

are the routes correctly advertised ?

Is there any NSG or Firewall blocking traffic ?

You can use Netwotk Watcher

https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics

Please send us some feedback !

I hope this helps!

Kindly mark the answer as Accepted and Upvote in case it helped!

Regards
GitaraniSharma-MSFT 50,176 Reputation points Microsoft Employee Moderator

2023-05-30T07:54:55.7633333+00:00

Hello @René Braga ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I believe the question was posted before you could add all the details. Could you please add all the details?

Could you please also complete the flow you've mentioned above?

Regards,

Gita
GitaraniSharma-MSFT 50,176 Reputation points Microsoft Employee Moderator

2023-05-31T14:19:34.3433333+00:00

Hello @René Braga , Could you please provide an update on this post?
TP 145.2K Reputation points Volunteer Moderator

2023-05-31T14:29:08.8233333+00:00

@René Braga I've restored previous version of your question before text was truncated by a moderator. Please review and make any edits as you see fit. Thank you.
René Braga 0 Reputation points

2023-05-31T14:40:20.8833333+00:00

Hello @Konstantinos Passadis

Thanks for your comments

"If the ip addresses between OnPrem1 and OnPrem2 are overlapping you need NAT implementation"

No the networks Ips are not overlapping

"are the routes correctly advertised ? "

The routes are advertised, cause we can reach on-prem2 by azure.

"Is there any NSG or Firewall blocking traffic ?"

Nothing is bloking this traffic.

but the firewall manager at on-prem2, just informed that the routed from on-prem1 are not advertised on On-prem2 BGP.

in the last tests ,, I've trying to create a routetable , but not working yet.

thanks for all help
KapilAnanth 49,846 Reputation points Moderator

2023-06-01T04:47:01.96+00:00
@René Braga

For this configuration to work, you will be required to enable BGP in the,

VPN Connection between OnPrem1 and Azure VPN Gateway

Can you confirm this is done?

Azure ExpressRoute to OnPrem2 (But this should be already enabled)

And, also, there are other requirements,

If you want to use transit routing between ExpressRoute and VPN, the ASN of Azure VPN Gateway must be set to 65515 and Azure Route Server should be used.

For ExpressRoute and Azure VPN to work together, you must keep the Autonomous System Number of your Azure VPN gateway at its default value, 65515

Refer : Azure Route Server support for ExpressRoute and Azure VPN

Cheers,

Kapil
René Braga 0 Reputation points

2023-06-01T11:19:06.79+00:00

@KapilAnanth

Thanks for your points , I'm going to review the configuration in the next hours and replay you back, now we are using the Azure VWAN to redirect the traffic, but with no success, then I will replace the VWAN by a Azure Route Server

Thanks
KapilAnanth 49,846 Reputation points Moderator

2023-06-01T11:47:21.48+00:00

@René Braga

With Azure vWAN, you can do this directly.

No need for Azure Route server, but BGP would be required.

Consider the scenario : Any-to-Any,

Make sure you enable Branch-to-Branch in vWAN's configuration blade.

Refer: Is branch-to-branch connectivity allowed in Virtual WAN?
René Braga 0 Reputation points

2023-06-01T12:05:24.3466667+00:00
@KapilAnanth

VPN Connection between OnPrem1 and Azure VPN Gateway

Can you confirm this is done? Yes (y)

Azure ExpressRoute to OnPrem2 (But this should be already enabled)

Yes
KapilAnanth 49,846 Reputation points Moderator

2023-06-05T05:50:18.9233333+00:00

@René Braga

If that's the case, please make you have enabled Branch-to-Branch in vWAN and let us know if that worked?

Cheers,

Kapil
KapilAnanth 49,846 Reputation points Moderator

2023-06-06T04:42:12.3133333+00:00

@René Braga

I have summarized our discussions and posted it as an answer.

Should you feel this has helped, I would request you to accept the same.

Accepted answers help the community members and search engine page rank(s) to search and locate a thread/answer

And in case you have any further query do let us know, I shall be more than glad to assist you as always :)

Cheers,

Kapil
KapilAnanth 49,846 Reputation points Moderator

2023-06-09T06:26:26.8366667+00:00

@René Braga

Reaching out to check if there are any questions on this.

Please let us know if we can be of any further assistance here.

Thanks,

Kapil

1 answer

Your answer

Konstantinos Passadis 19,681 Reputation points MVP

2023-05-29T19:03:06.0833333+00:00

Hello @René Braga !

Welcome to Microsoft QnA!

I understand you need On Premises Nets to reach each other via Azure

You have managed to do this from one side

We have no feedback on the Configuration so we can only make suggestions

If the ip addresses between OnPrem1 and OnPrem2 are overlapping you need NAT implementation

https://learn.microsoft.com/en-us/azure/nat-gateway/nat-gateway-resource

Verify your routing configuration

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview

are the routes correctly advertised ?

Is there any NSG or Firewall blocking traffic ?

You can use Netwotk Watcher

https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics

Please send us some feedback !

I hope this helps!

Kindly mark the answer as Accepted and Upvote in case it helped!

Regards
GitaraniSharma-MSFT 50,176 Reputation points Microsoft Employee Moderator

2023-05-30T07:54:55.7633333+00:00

Hello @René Braga ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I believe the question was posted before you could add all the details. Could you please add all the details?

Could you please also complete the flow you've mentioned above?

Regards,

Gita
GitaraniSharma-MSFT 50,176 Reputation points Microsoft Employee Moderator

2023-05-31T14:19:34.3433333+00:00

Hello @René Braga , Could you please provide an update on this post?
TP 145.2K Reputation points Volunteer Moderator

2023-05-31T14:29:08.8233333+00:00

@René Braga I've restored previous version of your question before text was truncated by a moderator. Please review and make any edits as you see fit. Thank you.
René Braga 0 Reputation points

2023-05-31T14:40:20.8833333+00:00

Hello @Konstantinos Passadis

Thanks for your comments

"If the ip addresses between OnPrem1 and OnPrem2 are overlapping you need NAT implementation"

No the networks Ips are not overlapping

"are the routes correctly advertised ? "

The routes are advertised, cause we can reach on-prem2 by azure.

"Is there any NSG or Firewall blocking traffic ?"

Nothing is bloking this traffic.

but the firewall manager at on-prem2, just informed that the routed from on-prem1 are not advertised on On-prem2 BGP.

in the last tests ,, I've trying to create a routetable , but not working yet.

thanks for all help
KapilAnanth 49,846 Reputation points Moderator

2023-06-01T04:47:01.96+00:00

@René Braga

For this configuration to work, you will be required to enable BGP in the,

VPN Connection between OnPrem1 and Azure VPN Gateway

Can you confirm this is done?

Azure ExpressRoute to OnPrem2 (But this should be already enabled)

And, also, there are other requirements,

If you want to use transit routing between ExpressRoute and VPN, the ASN of Azure VPN Gateway must be set to 65515 and Azure Route Server should be used.

For ExpressRoute and Azure VPN to work together, you must keep the Autonomous System Number of your Azure VPN gateway at its default value, 65515

Refer : Azure Route Server support for ExpressRoute and Azure VPN

Cheers,

Kapil
René Braga 0 Reputation points

2023-06-01T11:19:06.79+00:00

@KapilAnanth

Thanks for your points , I'm going to review the configuration in the next hours and replay you back, now we are using the Azure VWAN to redirect the traffic, but with no success, then I will replace the VWAN by a Azure Route Server

Thanks
KapilAnanth 49,846 Reputation points Moderator

2023-06-01T11:47:21.48+00:00

@René Braga

With Azure vWAN, you can do this directly.

No need for Azure Route server, but BGP would be required.

Consider the scenario : Any-to-Any,

Make sure you enable Branch-to-Branch in vWAN's configuration blade.

Refer: Is branch-to-branch connectivity allowed in Virtual WAN?
René Braga 0 Reputation points

2023-06-01T12:05:24.3466667+00:00

@KapilAnanth

VPN Connection between OnPrem1 and Azure VPN Gateway

Can you confirm this is done? Yes (y)

Azure ExpressRoute to OnPrem2 (But this should be already enabled)

Yes
KapilAnanth 49,846 Reputation points Moderator

2023-06-05T05:50:18.9233333+00:00

@René Braga

If that's the case, please make you have enabled Branch-to-Branch in vWAN and let us know if that worked?

Cheers,

Kapil
KapilAnanth 49,846 Reputation points Moderator

2023-06-06T04:42:12.3133333+00:00

@René Braga

I have summarized our discussions and posted it as an answer.

Should you feel this has helped, I would request you to accept the same.

Accepted answers help the community members and search engine page rank(s) to search and locate a thread/answer

And in case you have any further query do let us know, I shall be more than glad to assist you as always :)

Cheers,

Kapil
KapilAnanth 49,846 Reputation points Moderator

2023-06-09T06:26:26.8366667+00:00

@René Braga

Reaching out to check if there are any questions on this.

Please let us know if we can be of any further assistance here.

Thanks,

Kapil

Answer 1

@René Braga

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

You would like to transit traffic coming from VPN Ipsec to Another site by ExpressRoute

The Flow IS ( On-Prem1) <IPSEC>(Azure)<ExpressRoute>(On-prem2).

For this configuration to work, you will be required to enable BGP in the,

VPN Connection between OnPrem1 and Azure VPN Gateway
Azure ExpressRoute to OnPrem2 (This should be already enabled)

For a Non - vWAN scenario

And, also, there are other requirements,

If you want to use transit routing between ExpressRoute and VPN, the ASN of Azure VPN Gateway must be set to 65515 and Azure Route Server should be used.
For ExpressRoute and Azure VPN to work together, you must keep the Autonomous System Number of your Azure VPN gateway at its default value, 65515

Refer : Azure Route Server support for ExpressRoute and Azure VPN

User's image

For a vWAN scenario

With Azure vWAN, you can do this directly.

No need for Azure Route server, but BGP would be required.

Consider the scenario : Any-to-Any,

User's image

Make sure you enable Branch-to-Branch in vWAN's configuration blade.

Refer: Is branch-to-branch connectivity allowed in Virtual WAN?

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

René Braga 0 Reputation points

2023-06-06T12:49:24.99+00:00

Hello @KapilAnanth

I'm not done completely the virtual wan setup, the hub is already configured, but some connection are not yet going through virtual Wan hub

branch to branch is enable on virtual Wan

with best regards
KapilAnanth 49,846 Reputation points Moderator

2023-06-07T05:44:42.1033333+00:00

@René Braga

Thanks for the update.

In that case, you can complete your vWAN Configuration and let us know should the issue persist.

Cheers,

Kapil

Share via

Azure Network Advanced Solution

1 answer

Your answer