![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 64%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERS%3C/text%3E%3C/svg%3E)
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,461 questions
Hello @Renukappa Sresty D P ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
If I understand correctly, you are not able to access VMs in Vnet B from your ExpressRoute connected on-premises. Please correct me if my understanding is wrong.
As mentioned in the below document,
When you peer virtual networks that share a single Azure ExpressRoute connection, the traffic between them goes through the peering relationship. That traffic uses the Azure backbone network. You can still use local gateways in each virtual network to connect to the on-premises circuit. Otherwise, you can use a shared gateway and configure transit for on-premises connectivity.
Since you are using a hub and spoke architecture and the Vnet A and Vnet B doesn't share a single ExpressRoute connection, the on-premises connectivity should be configured using the transit gateway setting in the Vnet peering. Gateway Transit is a peering property that enables a virtual network to utilize a VPN/ExpressRoute gateway in a peered virtual network. Gateway transit works for both cross premises and network-to-network connectivity.
However, in point 2, you mentioned "We connected <==VnetB==> another on-prem via S2S VPN, its working fine", so I believe you have a VPN gateway configured in Vnet B, and hence configuring transit gateway will not be possible in this case. If the spoke virtual network already has a VPN gateway, the Use remote gateway option isn't supported on the spoke virtual network. This is because of a virtual network peering limitation.
In your current setup, there are only 2 options to provide connectivity from on-prem to Azure VM in Vnet B via Express Route:
- Connect your Vnet B to your ExpressRoute circuit directly by creating an ExpressRoute gateway in Vnet B (co-existence with the already existing VPN gateway).
You can link the spoke Vnet to the ExpressRoute circuit directly for communication between the spoke Vnet and on-premises. You can link up to 10 virtual networks on a standard ExpressRoute circuit, and up to 100 on a premium ExpressRoute circuit.
- Remove the VPN gateway from Vnet B and deploy it in Vnet A along with the ExpressRoute gateway as a co-existence setup and then enable gateway transit in the Vnet B peering. You can configure your network where some sites connect directly to Azure over Site-to-Site VPN, and some sites connect through ExpressRoute.
https://learn.microsoft.com/en-us/azure/expressroute/how-to-configure-coexisting-gateway-portal
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit
While enabling the gateway transit option, you need to make sure that the Vnet B is using the remote virtual network's (Vnet A ExpressRoute) gateway and Traffic to remote virtual network & Traffic forwarded from remote virtual network are set to Allow for both side Vnet peerings.
Option 1 will be expensive as it will have 3 gateways in total, so my suggestion is to go for option 2.
If you go with option 2, you can also enable connectivity between your local network that is connected to ExpressRoute and other local network that is connected to a site-to-site VPN connection by enabling BGP and setting up Azure Route Server (if needed in the future).
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.