Linking Azure VNets Across Subscriptions with a Single S2S Connection

Question

Linking Azure VNets Across Subscriptions with a Single S2S Connection

Anonymous

Hi all,

I am facing the blocker described bellow. I need a helping hand in spotting what I am missing. Thanks in advance.

Senario:

In subscription 1, RG1 I have Vnet1 and An Azure Gateway VPN, Vnet1 has S2S VPN connection to on-prem site.
In subscription 2, RG2 I have Vnet2 and an Azure Gateway VPN

What I want:

I want to be able to access from on-prem site Vnet1 and Vnet2, without creating S2S connection to on-prem for each VNET (see picture (essentially the red path in the diagram))

What I have already tried:

Try no 1:

VNet-to-Vnet VPN connection between Vnet1 and Vnet2 using instruction from MS official documentation

The Connection Status was Connected on both sides, however I was not able to reach resources in Vnet2 from devices on On-Prem Site.

I have tried additional configuration to establish communication from Vnet2 to On-Prem Site through the VNet-to-VNet VPN and S2S VPN connections , by using Route Table with routs on both pars, but with no success.

Using VNet Peering is not an option for my current architecture.

Try no 2:

S2S (IPSec) VPN connection between the 2 Vnets. <VNET2> ---S2S VPN--- <VNET1>

Which include the following 2 parts:

S2S connection between Virtual network gateway VnetGW1 (subscription 1) and Local Network Gateway named LocalNetworkGW2 in subscription 2 S2S connection between Virtual network gateway VnetGW2 (subscription 2) and Local Network Gateway named LocalNetworkGW1 in subscription 1

Steps:

# Signin to Subscription 1
$ az account set --subscription ID-Subs1

# Create S2S connection from Virtual Network Gateway subs1  to Local Network Gateway subs2
$ az network vpn-connection create --name VnetGW1toLocalNetworkGW2 --resource-group RG1 --vnet-gateway1 VnetGW1 -l westeurope --shared-key "abc123" --local-gateway2 /subscriptions/ID-Subs2/resourceGroups/RG2/providers/Microsoft.Network/localNetworkGateways/LocalNetworkGW2


# Signin to Subscription 1
$ az account set --subscription ID-Subs2
$ az network vpn-connection create --name VnetGW2toLocalNetworkGW1 --resource-group RG2 --vnet-gateway1 VnetGW2 -l westeurope --shared-key "abc123" --local-gateway2 /subscriptions/ID-Subs1/resourceGroups/RG1/providers/Microsoft.Network/localNetworkGateways/LocalNetworkGW1

Note:

If you try to go in Local Network Gateway named LocalNetworkGW2 and Configure Adress Space by adding the VNET2 IP adress-space, and then run the command to create the S2S connection.

You will get the following error code "ConnectionOverlappingAddressSpaces" This is because at S2S connection creation via comand line the Local Network Gateway gets updated with the VNET2 IP adress-space, so there is no need to add it manually*

Issue:

The commands of creating S2S finished with no error, however the "connectionStatus": "NotConnected" on both end, so I still do not have the desired access

Anonymous

2023-06-13T08:30:42.6166667+00:00

Adding diagram from both attempts, which none was a success

Try no 1:

Try no 2:
KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2023-06-13T09:04:21.3933333+00:00
@Anonymous

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to achieve transit routing via VPN Connections between Azure Site and OnPrem via another Azure Site.

Technically, this should be possible with one condition.

BGP is a must

Using a S2S for connecting two VPN Gateways in Azure would be an overkill.

VNet-to-Vnet will work exactly as desires as long as all the two connections, Vnet1-to-OnPrem S2S and Vnet1-to-Vnet2 VPN Connection both have BGP enabled.

I see the documentation you have shared for Vnet-to-Vnet does not configure BGP by default.

I would recommend you to enable BGP in all the connections and give it a try.

Please note : This configuration would not work if you do not enable BGP even with S2S between the VNets.

Your exact requirement is documented here

Cheers,

Kapil
Anonymous

2023-06-13T09:13:35.6066667+00:00

@KapilAnanth-MSFT

"I see the documentation you have shared for Vnet-to-Vnet does not configure BGP by default."

That's why I got confused, I was aware of the information in the documentation you shared here, however BGP is not mentioned in the document related to creating Vnet-to-Vnet VPN connection it is only mentioned "If your VNets are in different subscriptions, you can't create the connection in the portal. Use PowerShell or CLI instead."

I saw this ticket which is exact my problem and they solved via S2S without BGP
https://learn.microsoft.com/en-us/answers/questions/931496/connecting-from-one-vnet-to-another-vnets-s2s-on-p?page=1&orderby=Helpful#answers

Or I miss something. Can you pretty please do a dummy-explain for me, is a bit foggy on my end :(

Your suggestion is exactly what I want to do, but I got mislead by the docs differences :)

If I set BGP on S2S and Vnet-to-Vnet, do I need additional UDR on the VNETs conected via Vnet-to-Vnet VPN?
KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2023-06-13T09:30:04.91+00:00
@Anonymous

The method specified in the Q&A thread is more of a work around.

Now that you have mentioned, it should also work.

Here, we will be required to manually update the routes.

I take it that both the LNGs are now created and the S2S between the VNets are in a "Not Connected" state.

Can you confirm if they are in "Not Connected" or in "Connecting" state

Can you please check if the address space(s) in the LNGs are updated properly from the Portal?

Also,

VPNGW1 is connected to LNG2
- Can you please create the LNG2 in the same subscription as VPNGW1 - And fill it with VPNGW2's IP and address range

VPNGW2 is connected to LNG1

Similarly, Can you please create the LNG1 in the same subscription as VPNGW2

And fill it with VPNGW1's IP and address range

Let me know how this goes.

Cheers,

Kapil
KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2023-06-13T09:33:56.4866667+00:00
@Anonymous

Wrt using BGP and using S2S + Vnet-to-Vnet,

You are not required to add additional UDR on the VNETs conected via Vnet-to-Vnet VPN?

The beauty of BGP is that routes are managed and propagating automatically

Cheers,

Kapil
Anonymous

2023-06-13T10:07:30.01+00:00
@KapilAnanth-MSFT

"Not Connected"

Can you please check if the address space(s) in the LNGs are updated properly from the Portal?

They are not getting updated, I have checked via portal and via CLI, I can not see the VNET IP prefix

However if I want to manually update them via portal or CLI is saying that the VNET IP prefix is already there

----> I suspect this is the issue, the LNGs address spaces are not getting updated

VPNGW1 is connected to LNG2

the status is the same "Not Connected"

The S2S connections were created via command line

VPNGW1 ---S2S--- LNG2

VPNGW2 ---S2S--- LNG1

$ az account set --subscription ID-Subs1 $ az network vpn-connection create --name VnetGW1toLocalNetworkGW2 --resource-group RG1 --vnet-gateway1 VnetGW1 -l westeurope --shared-key "abc123" --local-gateway2 /subscriptions/ID-Subs2/.../localNetworkGateways/LocalNetworkGW2 $ az account set --subscription ID-Subs2 $ az network vpn-connection create --name VnetGW2toLocalNetworkGW1 --resource-group RG2 --vnet-gateway1 VnetGW2 -l westeurope --shared-key "abc123" --local-gateway2 /subscriptions/ID-Subs1/..../localNetworkGateways/LocalNetworkGW1

More details about what I have done and the output:

Subscription 1:

Go in Virtual network gateway at Connections and check the S2S connection status between the Virtual network gateway from subs1 and Local network gateway from subs2, the status is "Not Connected"

Local network gateway Address Space from the portal or list the LNGw Adress Spacess via CLI is not updated with the VNET 2 ip range adress prefix 10.90.0.0/16

If I want to update the LNGw i get the error:

Failed to save configuration changes to local network gateway 'LNGw1'. Error: This gateway connection creates an address space overlap between two networks. The overlapping addresses are '10.90.0.0/16' and '10.90.0.0/16'.

Subscription 2:

Go in Virtual network gateway at Connections and check the S2S connection status between the Virtual network gateway from subs2 and Local network gateway from subs1, the status is "Not Connected"- Local network gateway Address Space from the portal or list the LNGw Adress Spacess via CLI is not updated with the VNET 1 ip range adress prefix 10.70.0.0/16

If I want to update the LNGw i get the error:

Failed to save configuration changes to local network gateway 'LNGw1'. Error: This gateway connection creates an address space overlap between two networks. The overlapping addresses are '10.70.0.0/16' and '10.70.0.0/16'.
KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2023-06-13T10:19:53.1266667+00:00
@Anonymous

Based on the error message,

I believe you are connecting the VPNGW1 to an LNG that contains the same address space as VNet1

Similarly, VPNGW2 to an LNG that contains the same address space as VNet2

You should swap these two.

Next Steps:

From your commands, I see you are establishing a connection across subscription(s)

I don't think this is correct.

Can you instead use just one subscription as below?

Note :

The S2S Connection object is created within the subscription (VPNGW and LNG are in same subscription)

Address range of LNG comes from the other VPNGW (Vnet)

If possible, I would recommend you to delete the LNGs and Connections and recreated them with Azure Portal.

Cheers,

Kapil
Anonymous

2023-06-13T10:44:22.9+00:00
Already created/existent:

In Subscription 1

Resource Group 1

VNET1

VPNGW1 ---S2S connection-->with On-Prem Site Prod

LNG1 (Address Space contains On-prem Site Prod Address Prefix)

In Subscription 2

Resource Group 2

VNET2

VPNGW2 ---S2S connection-->with On-Prem Site Dev

LNG2 (Address Space contains On-prem Site Dev Address Prefix)

What I want to do is the following

In Subscription 1

Resource Group 1

VNET1

VPNGW1

---S2S connection-->with On-Prem Site Prod [already existent]

---S2S connection-->with LNGW2 [I created new]

LNG1

(Address Space contains On-prem Site Prod Address Prefix) already existent

Address Space should contain also VNET2 Address Prefix (I expected to be updated when I create the VPNGW1 - LNG2 S2S connection)

However is not getting updated and I cant add it manual via portal or CLI, because If I try to add it it says that already exists

In Subscription 2

Resource Group 2

VNET2

VPNGW2

---S2S connection-->with On-Prem Site Dev already existing

---S2S connection-->with LNGW1 [I created new]

LNG2

(Address Space contains On-prem Site Dev Address Prefix) already existing

Address Space should contain also VNET1 Address Prefix (I expected to be updated when I create the VPNGW2 - LNG1 S2S connection)

However is not getting updated and I cant add it manual via portal or CLI, because If I try to add it it says that already exists

Can you confirm if they are in "Not Connected" or in "Connecting" state

"Not Connected"

Can you please check if the address space(s) in the LNGs are updated properly from the Portal?

I listed the LNGs Adress Spaces via Portal and via Command Line and I can not see the Address Prefixes of the VNET1 on LNG2 and VNET2 on LNG1
KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2023-06-13T10:58:41.42+00:00
@Anonymous

You informed,

You created a new LNGW2 (I think this is LNG2) in Subscription1

Then, first you must update this LNG2 to the VNET2's Address range

Only then should you create a connection between VPNGW1 and LNG2.

I am not getting what you mean by "I expected to be updated when I create the VPNGW1 - LNG2 S2S connection"

This should be done manually before S2S Connection creation.

Can you please share the screenshot of the Address Prefix of LNG2 in Subscription1?

Also the error message when you add VNet2's address range please?

Thanks,

Kapil
Anonymous

2023-06-13T11:11:35.4333333+00:00
KapilAnanth-MSFT I will add the folowing diagram, to understand what was already existing (not created by me, but existing since 5y ago)

As you can see there are 2 subscriptions in each subs is an Azure Gateway VPN that has S2S connections to 2 differents onprem sites.

What I want to do is the following:

update the already existing infrastructure so I can also get access from OnPrem Site (192.168.250.230/30) to resources in Subscription 2 ( see in the diagram the red line)

To achieve that on already existing infrastructure I created a new S2S connection between the 2 VNETs

In Subscription1 in VNGW1 I created a S2S connection to LNG2
In Subscription2 in VNGW2 I created a S2S connection to LNG1

Expected:

the LNG1 Address Space get updated with 10.20.0.0/16 VNET2 IP

the LNG2 Address Space get updated with 10.90.0.0/16 VNET1 IP

And connection status from both way to be connected

All those points are not satisfied
Anonymous

2023-06-13T11:16:35.79+00:00
I am not getting what you mean by "I expected to be updated when I create the VPNGW1 - LNG2 S2S connection"

This should be done manually before S2S Connection creation.

If you look closer in my post I mentioned that I have tried to manually update the Address Space before creating the connection, however when I tried to create the connection I got an error.

I also shared several times the IP prefixes look in pictures
Anonymous

2023-06-13T13:17:18.65+00:00
UPDATE:

UPDATE:

UPDATE:

Method1: S2S VPN connection between Vnet1 and Vnet2

In this new Subscription DEMO, in here I have created a resource group with the following resources:

VNET with address space 10.39.0.0/16 --> Name: demo-vnet-for-gwvpn

Virtual Network Gateway ---> Name: Demo-VNGW

Local Network Gateway ---> Name: DEMO-LNGW

The VNET address prefix do not overlap with any other vnets

On this post and also on similar posts it is advised to manually add the VNET IP Prefix to the Local Network Gateway.

Ok, so I want to create an S2S connection from Subscription1 Virtual Network Gateway VNG1 to Local Network Gateway LNG2 located in another subscription called Subscription DEMO

Official MS Documentation mention that if you want to create V2V or S2S connection across subscription you have to use command line, not portal.

Good.

The steps should be the following:

Update the Address Space of Local Network Gateway LNG2 to contain the Address Prefix of Vnet1 (10.90.0.0/16)

use command line to create the S2S connection between VNG1 and LNG2

OOOO but what we have here... Looks like the command under the hood tries to add the Vnet1 Address Prefix to LNG2 Address Space

Either this is a bug, either this is the expected behavior.

Go in LNG2 and delete the Vnet1 Ip Prefix that I added previously.
Run again the command to create a S2S tunnel from VNG1 to LNG2.

Command run with success

The LNG2 Address Space do not get updated with the Vnet1 Ip Prefix 10.90.0.0/16 after the command to create the S2S command is ran.

However if I want to add it manually in the LNG2 Address Space I get the error that the IP is already in the address space.

Looks like a bug to me.
KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2023-06-13T13:57:21.7+00:00
@Anonymous

Are you using the same LNG for OnPrem and also for the other VNet(VPNGateway)?

If so,

You should not do this

Each of your VPN Gateway must be associated to 2 LNGs

One LNG for the OnPrem and one LNG for the other VNET Address space and make two distinct connections to the two LNGs.

Refer : Add additional S2S connections to a VNet: Azure portal

P.S : First, we shall establish the S2S between the VPN Gateways, then we can focus on adding the OnPrem ranges to the VNET2.

Thanks,

Kapil
Anonymous

2023-06-13T14:19:22.2333333+00:00
KapilAnanth-MSFT

I created a new Subscription.

Ok let's start from a clear point:

In Subscription-A I have the

Vnet-A 10.90.0.0/16

VNG-A

LNG-for-OnPrem

LNG-for-Vnet-B

In Subscription-B I have the

Vnet-B 10.39.0.0/16

VNG-B

LNG-for-Vnet-A

Steps:

Update LNG-for-Vnet-A and add Vnet-A ip prefix 10.90.0.0/16
Run az network vpn-connection create command creates a VPN connection between the two gateways

Output I get error:
"Error: This gateway connection creates an address space overlap between two networks. The overlapping addresses are '10.90.0.0/16' and '10.90.0.0/16'."

I mention that the IP do not overlap.
In each Subscription I have only one VNET A and B, no peering, no routes.

If the az network vpn-connection create command creates a VPN connection between the two gateways, but it does not automatically update the Address Space of the Local Network Gateway, and the Address Space of the Local Network Gateway needs to be updated manually to include the desired address prefixes, why I get the error?

If my environment is clean, and in Subscription-B there is no overlap with the IP in Subscription-B, no peer, no route, nothing?

I also tested and created 2 new subscriptions, in each subs only the vnet and gateway, and tried to connect the gateways, same error.

Is like saying to me that I am in your house, but is no trace of me being there or link or something
KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2023-06-13T14:24:01.8666667+00:00

@Anonymous

Can you do this with Portal Please?

And see if this error is reproducible.

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal
Anonymous

2023-06-13T14:45:32.93+00:00

KapilAnanth-MSFT The issue happens in CLI and Portal.

I created a github issue:
https://github.com/MicrosoftDocs/azure-docs/issues/110829
Anonymous

2023-06-13T14:47:26.7433333+00:00

KapilAnanth-MSFT If you ask me to create the S2S connection via portal, I can not do it since the LNG are not in the same subscription

From MS official Doc: "If your VNets are in different subscriptions, you can't create the connection in the portal. Use PowerShell or CLI instead."
KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2023-06-13T15:10:30.2+00:00
@Anonymous

Wrt,

"If your VNets are in different subscriptions, you can't create the connection in the portal. Use PowerShell or CLI instead"

This is for VNet-to-VNet VPN Connection.

Wrt,

"LNG are not in the same subscription"

From your statement,

We are going to connect VNG-A and LNG-for-Vnet-B (contains VnetB's address range)

And they happen to be in the same subscription as well.

Is that not the case?

Cheers,

Kapil
KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2023-06-13T15:16:51.4233333+00:00
@Anonymous

At this Point, I believe we can have a specialized 1:1 session, where a support engineer can have a screen share session to pinpoint the issue.

If you have a support plan you may file a support ticket, else please do let us know, we will try and help you get a one-time free technical support.

In case you need a one-time free technical support could you please send an email to AzCommunity[At]Microsoft[Dot]com with the below details.

Subject : Attn Kaananth | Linking Azure VNets Across Subscriptions with a Single S2S Connection

Thread URL: Link to this thread.

Subscription ID : Subscription ID where the VPN Gateway A is hosted.

Cheers,

Kapil
Anonymous

2023-06-13T16:20:31.3333333+00:00
UPDATES:

Sub A (this one is S2S to Onprem)

vnetA

vngA

lng to onprem

I created a new LNG to connect to subB, the LNG public IP is the VNG-B public IP

I created an S2S connection between VNG-A and LNG-A

Sub B

vnetB

vngB

lng to an old onprem

I created a new LNG to connect to subA, the LNG public IP is the VNG-A public IP

I created an S2S connection between VNG-B and LNG-B

Now the Connection Status on both ends is Connected.

From OnPrem I can ping any VM in SubsA, however I still can not ping the VMs in subs B
KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2023-06-14T09:04:45.8466667+00:00
@Anonymous

Great news.

Now, In LNGB, add the OnPrem Address Range that is connected to siteA.

This will make the traffic destined to OnPremSiteA go to the VNGA

Let me know if this works.

Cheers,

Kapil
Anonymous

2023-06-14T11:42:07.7733333+00:00

KapilAnanth-MSFT, I solved in the end (I got help from an Azure Network engineer I will not gone lie)

So in my case all started from the way I saw Local Network Gateway.

Instead to look at is as a configuration, I treated it like a device.

That's why I thought that is a good idea to connect the Virtual Network Gateway from Subscription-A so the Local Network Gateway from Subscription B.

No matter the config I did, the set-ul, I got errors because I keept connecting:
VNGA (from subs-A) to LNGB (which was in subs-B)

My fault was that I misunderstood the scope of LNG seeing it as a device instead of a config.

For Vnet-to-Vnet if I want to connect vnets via vpn from different subscription, you do it by connecting VNG-subcription-1 with VNG-subscription-2,
so I thought if this is the logic for V2V, then for S2S should be VNG-subscription-1 connected to LNG-subscription-2,

I created an article here with the solution:
https://medium.com/@andragabr/connect-from-onprem-to-azure-vnets-across-subscriptions-1b89306d15ef
KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2023-06-14T12:17:36.51+00:00

@Anonymous

Haa, that happens.

I am glad you were able to set this up finally.

I shall summarize our discussions and post it as an answer.

Request you to please Accept the Answer (as original posters cannot accept their own answer) and close this thread

Cheers,

Kapil :)
KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2023-06-15T09:34:06.58+00:00

@Anonymous

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks,

Kapil

Accepted answer

2 additional answers

Your answer

Anonymous

2023-06-13T08:30:42.6166667+00:00

Adding diagram from both attempts, which none was a success

Try no 1:

Try no 2:
KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2023-06-13T09:04:21.3933333+00:00

@Anonymous

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to achieve transit routing via VPN Connections between Azure Site and OnPrem via another Azure Site.

Technically, this should be possible with one condition.

BGP is a must

Using a S2S for connecting two VPN Gateways in Azure would be an overkill.

VNet-to-Vnet will work exactly as desires as long as all the two connections, Vnet1-to-OnPrem S2S and Vnet1-to-Vnet2 VPN Connection both have BGP enabled.

I see the documentation you have shared for Vnet-to-Vnet does not configure BGP by default.

I would recommend you to enable BGP in all the connections and give it a try.

Please note : This configuration would not work if you do not enable BGP even with S2S between the VNets.

Your exact requirement is documented here

Cheers,

Kapil
Anonymous

2023-06-13T09:13:35.6066667+00:00

@KapilAnanth-MSFT

"I see the documentation you have shared for Vnet-to-Vnet does not configure BGP by default."

That's why I got confused, I was aware of the information in the documentation you shared here, however BGP is not mentioned in the document related to creating Vnet-to-Vnet VPN connection it is only mentioned "If your VNets are in different subscriptions, you can't create the connection in the portal. Use PowerShell or CLI instead."

I saw this ticket which is exact my problem and they solved via S2S without BGP
https://learn.microsoft.com/en-us/answers/questions/931496/connecting-from-one-vnet-to-another-vnets-s2s-on-p?page=1&orderby=Helpful#answers

Or I miss something. Can you pretty please do a dummy-explain for me, is a bit foggy on my end :(

Your suggestion is exactly what I want to do, but I got mislead by the docs differences :)

If I set BGP on S2S and Vnet-to-Vnet, do I need additional UDR on the VNETs conected via Vnet-to-Vnet VPN?
KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2023-06-13T09:30:04.91+00:00

@Anonymous

The method specified in the Q&A thread is more of a work around.

Now that you have mentioned, it should also work.

Here, we will be required to manually update the routes.

I take it that both the LNGs are now created and the S2S between the VNets are in a "Not Connected" state.

Can you confirm if they are in "Not Connected" or in "Connecting" state

Can you please check if the address space(s) in the LNGs are updated properly from the Portal?

Also,

VPNGW1 is connected to LNG2
- Can you please create the LNG2 in the same subscription as VPNGW1 - And fill it with VPNGW2's IP and address range

VPNGW2 is connected to LNG1

Similarly, Can you please create the LNG1 in the same subscription as VPNGW2

And fill it with VPNGW1's IP and address range

Let me know how this goes.

Cheers,

Kapil
KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2023-06-13T09:33:56.4866667+00:00

@Anonymous

Wrt using BGP and using S2S + Vnet-to-Vnet,

You are not required to add additional UDR on the VNETs conected via Vnet-to-Vnet VPN?

The beauty of BGP is that routes are managed and propagating automatically

Cheers,

Kapil
KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2023-06-13T10:19:53.1266667+00:00

@Anonymous

Based on the error message,

I believe you are connecting the VPNGW1 to an LNG that contains the same address space as VNet1

Similarly, VPNGW2 to an LNG that contains the same address space as VNet2

You should swap these two.

Next Steps:

From your commands, I see you are establishing a connection across subscription(s)

I don't think this is correct.

Can you instead use just one subscription as below?

Note :

The S2S Connection object is created within the subscription (VPNGW and LNG are in same subscription)

Address range of LNG comes from the other VPNGW (Vnet)

If possible, I would recommend you to delete the LNGs and Connections and recreated them with Azure Portal.

Cheers,

Kapil
Anonymous

2023-06-13T10:44:22.9+00:00

Already created/existent:

In Subscription 1

Resource Group 1

VNET1

VPNGW1 ---S2S connection-->with On-Prem Site Prod

LNG1 (Address Space contains On-prem Site Prod Address Prefix)

In Subscription 2

Resource Group 2

VNET2

VPNGW2 ---S2S connection-->with On-Prem Site Dev

LNG2 (Address Space contains On-prem Site Dev Address Prefix)

What I want to do is the following

In Subscription 1

Resource Group 1

VNET1

VPNGW1

---S2S connection-->with On-Prem Site Prod [already existent]

---S2S connection-->with LNGW2 [I created new]

LNG1

(Address Space contains On-prem Site Prod Address Prefix) already existent

Address Space should contain also VNET2 Address Prefix (I expected to be updated when I create the VPNGW1 - LNG2 S2S connection)

However is not getting updated and I cant add it manual via portal or CLI, because If I try to add it it says that already exists

In Subscription 2

Resource Group 2

VNET2

VPNGW2

---S2S connection-->with On-Prem Site Dev already existing

---S2S connection-->with LNGW1 [I created new]

LNG2

(Address Space contains On-prem Site Dev Address Prefix) already existing

Address Space should contain also VNET1 Address Prefix (I expected to be updated when I create the VPNGW2 - LNG1 S2S connection)

However is not getting updated and I cant add it manual via portal or CLI, because If I try to add it it says that already exists

Can you confirm if they are in "Not Connected" or in "Connecting" state

"Not Connected"

Can you please check if the address space(s) in the LNGs are updated properly from the Portal?

I listed the LNGs Adress Spaces via Portal and via Command Line and I can not see the Address Prefixes of the VNET1 on LNG2 and VNET2 on LNG1
KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2023-06-13T10:58:41.42+00:00

@Anonymous

You informed,

You created a new LNGW2 (I think this is LNG2) in Subscription1

Then, first you must update this LNG2 to the VNET2's Address range

Only then should you create a connection between VPNGW1 and LNG2.

I am not getting what you mean by "I expected to be updated when I create the VPNGW1 - LNG2 S2S connection"

This should be done manually before S2S Connection creation.

Can you please share the screenshot of the Address Prefix of LNG2 in Subscription1?

Also the error message when you add VNet2's address range please?

Thanks,

Kapil
Anonymous

2023-06-13T11:11:35.4333333+00:00

KapilAnanth-MSFT I will add the folowing diagram, to understand what was already existing (not created by me, but existing since 5y ago)

As you can see there are 2 subscriptions in each subs is an Azure Gateway VPN that has S2S connections to 2 differents onprem sites.

What I want to do is the following:

update the already existing infrastructure so I can also get access from OnPrem Site (192.168.250.230/30) to resources in Subscription 2 ( see in the diagram the red line)

To achieve that on already existing infrastructure I created a new S2S connection between the 2 VNETs

In Subscription1 in VNGW1 I created a S2S connection to LNG2
In Subscription2 in VNGW2 I created a S2S connection to LNG1

Expected:

the LNG1 Address Space get updated with 10.20.0.0/16 VNET2 IP

the LNG2 Address Space get updated with 10.90.0.0/16 VNET1 IP

And connection status from both way to be connected

All those points are not satisfied
Anonymous

2023-06-13T11:16:35.79+00:00

I am not getting what you mean by "I expected to be updated when I create the VPNGW1 - LNG2 S2S connection"

This should be done manually before S2S Connection creation.

If you look closer in my post I mentioned that I have tried to manually update the Address Space before creating the connection, however when I tried to create the connection I got an error.

I also shared several times the IP prefixes look in pictures
Anonymous

2023-06-13T13:17:18.65+00:00

UPDATE:

UPDATE:

UPDATE:

Method1: S2S VPN connection between Vnet1 and Vnet2

In this new Subscription DEMO, in here I have created a resource group with the following resources:

VNET with address space 10.39.0.0/16 --> Name: demo-vnet-for-gwvpn

Virtual Network Gateway ---> Name: Demo-VNGW

Local Network Gateway ---> Name: DEMO-LNGW

The VNET address prefix do not overlap with any other vnets

On this post and also on similar posts it is advised to manually add the VNET IP Prefix to the Local Network Gateway.

Ok, so I want to create an S2S connection from Subscription1 Virtual Network Gateway VNG1 to Local Network Gateway LNG2 located in another subscription called Subscription DEMO

Official MS Documentation mention that if you want to create V2V or S2S connection across subscription you have to use command line, not portal.

Good.

The steps should be the following:

Update the Address Space of Local Network Gateway LNG2 to contain the Address Prefix of Vnet1 (10.90.0.0/16)

use command line to create the S2S connection between VNG1 and LNG2

OOOO but what we have here... Looks like the command under the hood tries to add the Vnet1 Address Prefix to LNG2 Address Space

Either this is a bug, either this is the expected behavior.

Go in LNG2 and delete the Vnet1 Ip Prefix that I added previously.
Run again the command to create a S2S tunnel from VNG1 to LNG2.

Command run with success

The LNG2 Address Space do not get updated with the Vnet1 Ip Prefix 10.90.0.0/16 after the command to create the S2S command is ran.

However if I want to add it manually in the LNG2 Address Space I get the error that the IP is already in the address space.

Looks like a bug to me.
KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2023-06-13T13:57:21.7+00:00

@Anonymous

Are you using the same LNG for OnPrem and also for the other VNet(VPNGateway)?

If so,

You should not do this

Each of your VPN Gateway must be associated to 2 LNGs

One LNG for the OnPrem and one LNG for the other VNET Address space and make two distinct connections to the two LNGs.

Refer : Add additional S2S connections to a VNet: Azure portal

P.S : First, we shall establish the S2S between the VPN Gateways, then we can focus on adding the OnPrem ranges to the VNET2.

Thanks,

Kapil
Anonymous

2023-06-13T14:19:22.2333333+00:00

KapilAnanth-MSFT

I created a new Subscription.

Ok let's start from a clear point:

In Subscription-A I have the

Vnet-A 10.90.0.0/16

VNG-A

LNG-for-OnPrem

LNG-for-Vnet-B

In Subscription-B I have the

Vnet-B 10.39.0.0/16

VNG-B

LNG-for-Vnet-A

Steps:

Update LNG-for-Vnet-A and add Vnet-A ip prefix 10.90.0.0/16
Run az network vpn-connection create command creates a VPN connection between the two gateways

Output I get error:
"Error: This gateway connection creates an address space overlap between two networks. The overlapping addresses are '10.90.0.0/16' and '10.90.0.0/16'."

I mention that the IP do not overlap.
In each Subscription I have only one VNET A and B, no peering, no routes.

If the az network vpn-connection create command creates a VPN connection between the two gateways, but it does not automatically update the Address Space of the Local Network Gateway, and the Address Space of the Local Network Gateway needs to be updated manually to include the desired address prefixes, why I get the error?

If my environment is clean, and in Subscription-B there is no overlap with the IP in Subscription-B, no peer, no route, nothing?

I also tested and created 2 new subscriptions, in each subs only the vnet and gateway, and tried to connect the gateways, same error.

Is like saying to me that I am in your house, but is no trace of me being there or link or something
KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2023-06-13T14:24:01.8666667+00:00

@Anonymous

Can you do this with Portal Please?

And see if this error is reproducible.

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal
Anonymous

2023-06-13T14:45:32.93+00:00

KapilAnanth-MSFT The issue happens in CLI and Portal.

I created a github issue:
https://github.com/MicrosoftDocs/azure-docs/issues/110829
Anonymous

2023-06-13T14:47:26.7433333+00:00

KapilAnanth-MSFT If you ask me to create the S2S connection via portal, I can not do it since the LNG are not in the same subscription

From MS official Doc: "If your VNets are in different subscriptions, you can't create the connection in the portal. Use PowerShell or CLI instead."
KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2023-06-13T15:10:30.2+00:00

@Anonymous

Wrt,

"If your VNets are in different subscriptions, you can't create the connection in the portal. Use PowerShell or CLI instead"

This is for VNet-to-VNet VPN Connection.

Wrt,

"LNG are not in the same subscription"

From your statement,

We are going to connect VNG-A and LNG-for-Vnet-B (contains VnetB's address range)

And they happen to be in the same subscription as well.

Is that not the case?

Cheers,

Kapil
KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2023-06-13T15:16:51.4233333+00:00

@Anonymous

At this Point, I believe we can have a specialized 1:1 session, where a support engineer can have a screen share session to pinpoint the issue.

If you have a support plan you may file a support ticket, else please do let us know, we will try and help you get a one-time free technical support.

In case you need a one-time free technical support could you please send an email to AzCommunity[At]Microsoft[Dot]com with the below details.

Subject : Attn Kaananth | Linking Azure VNets Across Subscriptions with a Single S2S Connection

Thread URL: Link to this thread.

Subscription ID : Subscription ID where the VPN Gateway A is hosted.

Cheers,

Kapil
Anonymous

2023-06-13T16:20:31.3333333+00:00

UPDATES:

Sub A (this one is S2S to Onprem)

vnetA

vngA

lng to onprem

I created a new LNG to connect to subB, the LNG public IP is the VNG-B public IP

I created an S2S connection between VNG-A and LNG-A

Sub B

vnetB

vngB

lng to an old onprem

I created a new LNG to connect to subA, the LNG public IP is the VNG-A public IP

I created an S2S connection between VNG-B and LNG-B

Now the Connection Status on both ends is Connected.

From OnPrem I can ping any VM in SubsA, however I still can not ping the VMs in subs B
KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2023-06-14T09:04:45.8466667+00:00

@Anonymous

Great news.

Now, In LNGB, add the OnPrem Address Range that is connected to siteA.

This will make the traffic destined to OnPremSiteA go to the VNGA

Let me know if this works.

Cheers,

Kapil
Anonymous

2023-06-14T11:42:07.7733333+00:00

KapilAnanth-MSFT, I solved in the end (I got help from an Azure Network engineer I will not gone lie)

So in my case all started from the way I saw Local Network Gateway.

Instead to look at is as a configuration, I treated it like a device.

That's why I thought that is a good idea to connect the Virtual Network Gateway from Subscription-A so the Local Network Gateway from Subscription B.

No matter the config I did, the set-ul, I got errors because I keept connecting:
VNGA (from subs-A) to LNGB (which was in subs-B)

My fault was that I misunderstood the scope of LNG seeing it as a device instead of a config.

For Vnet-to-Vnet if I want to connect vnets via vpn from different subscription, you do it by connecting VNG-subcription-1 with VNG-subscription-2,
so I thought if this is the logic for V2V, then for S2S should be VNG-subscription-1 connected to LNG-subscription-2,

I created an article here with the solution:
https://medium.com/@andragabr/connect-from-onprem-to-azure-vnets-across-subscriptions-1b89306d15ef
KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2023-06-14T12:17:36.51+00:00

@Anonymous

Haa, that happens.

I am glad you were able to set this up finally.

I shall summarize our discussions and post it as an answer.

Request you to please Accept the Answer (as original posters cannot accept their own answer) and close this thread

Cheers,

Kapil :)
KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2023-06-15T09:34:06.58+00:00

@Anonymous

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks,

Kapil

Answer 1

@Anonymous

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to achieve transit routing via VPN Connections between Azure Site and OnPrem via another Azure Site.

Technically, this should be possible.

Method 1: BGP

Using a S2S for connecting two VPN Gateways in Azure would be an overkill.

VNet-to-Vnet will work exactly as desires as long as all the two connections, Vnet1-to-OnPrem S2S and Vnet1-to-Vnet2 VPN Connection both have BGP enabled.
I see the documentation you have shared for Vnet-to-Vnet does not configure BGP by default.
I would recommend you to enable BGP in all the connections and give it a try.

Please note : This configuration would not work if you do not enable BGP even with S2S between the VNets.

Your exact requirement is documented here

User's image

Method2: Adding the OnPrem Address range in LNG representing Transit VPN Gateway.

Note : Here, VPN Connection between the VPN Gateways should be a S2S and not Vnet-to-Vnet.

First, establish the VPN connection between VPN Gateways

Note :
- The S2S Connection object is created within the subscription (VPNGW and LNG are in same subscription)
- Address range of each LNG comes from the other VPNGW (Vnet)
Once the connection is successful, you can add the address range of the Onprem in the LNG representing the transit Gateway.
This should enable routing to the Onprem.

You have also added some additional configurations for an end-to-end connectivity : https://medium.com/@andragabr/connect-from-onprem-to-azure-vnets-across-subscriptions-1b89306d15ef

Thanks for your continued contribution on Q&A and appreciate much for taking the time to work with us

Cheers

Kapil :)

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Answer 2

munirtajudin 5

From my understanding, you want to use s2s via vnet1 in sub1 to vnet2 in sub2. And u have deployed vpn gateway from both vnet. Here is my 2 cent 1. Deleve vpn gateway in vnet 2 because this will cause an error on next step 2.Connect vnet1 and vnet2 using vnet peering. 3. On peering setting, there is source vnet setting which allow gateway transit and target vnet setting there an option to use remote gateway. Test connection and feedback if still not successful

Anonymous

2023-06-13T11:21:32.63+00:00

@munirtajudin as I mentioned in my post and in my commentaries.

I want to recreate a ticket that was created in 2022 and solved by a MS employee, however he did not shared the full information.

I am not interested in BGP or deleting the second GW since my NO1 scope is to recreate that Scenario and understand how they solved via S2S.

This issue is a very popular one, and there are plenty of post unsolved.

It would be great to have a documentation clear about this issue, since is very popular:

se here: https://stackoverflow.com/questions/52580283/azure-cross-region-vnet-connectivity-with-on-premises-access
and also here where they solved the same issue via S2S, but the same steps used in this case are not working currently: https://learn.microsoft.com/en-us/answers/questions/931496/connecting-from-one-vnet-to-another-vnets-s2s-on-p?page=1&orderby=Helpful#answers
munirtajudin 5 Reputation points

2023-06-13T11:25:32.8233333+00:00

Some references link like this, your vnet1 is your hub n vnet2 is spoke https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit
munirtajudin 5 Reputation points

2023-06-13T11:29:45.0866667+00:00

Sorry just read your comment. I also can't help much if deleting second gw is not an option
Anonymous

2023-06-13T11:30:28.0633333+00:00

@munirtajudin I understand very well what you are saying, however I do not want to do something that I already know how to do it.

As I mentioned before and I mention again, this post was raised for a specific Scenario in order to be solved and understood.

I am not looking for an workaround, I want to understand and solve this specific case, and if is not solvable to understand why, and why the MS docs include this scenario.

Again thanks for sharing, I know that method, but I am not interested in that.
Anonymous

2023-06-13T11:31:36.6266667+00:00

munirtajudin are you not curious to find out how this specific scenario can be solved?

I can not sleep man, I have to find out :(
munirtajudin 5 Reputation points

2023-06-13T11:35:20.3866667+00:00

I am curious and faced this before. The option I took last time was deleting the second gw after get in touch with ms support, there are some limitations I recall if u peer two vnet with each consist of vpn gateway

Answer 3

Anonymous

SOLVED:

I created an article here with the solution for different scenarios:
https://medium.com/@andragabr/connect-from-onprem-to-azure-vnets-across-subscriptions-1b89306d15ef

Thank you all for support <3

Share via

Linking Azure VNets Across Subscriptions with a Single S2S Connection

Senario:

What I want:

What I have already tried:

Try no 1:

Try no 2:

Issue:

Adding diagram from both attempts, which none was a success

Try no 1:

Try no 2:

UPDATE:

UPDATE:

UPDATE:

2 additional answers

SOLVED:

Your answer