How to do VNet peering's among the multiple S2S VPN connection?

Khushboo Kumari 97

Hi ,

There is multiple Site to site VPN Connection on-prem to Azure. As shown in attached image. I have some question related to this scenario. Please tell me the solution as soon as possible..

User's image

1 answer

KapilAnanth-MSFT 36,861 Reputation points Microsoft Employee

2023-08-07T10:29:53.9066667+00:00
@Khushboo Kumari

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to know the best practices for deploying a Site-to-Site connection to connect your OnPrem and Azure resources.

The above architecture is not something we would recommend.

Our recommendation is to go with either

Hub-Spoke Architecture and use only one VPN Gateway to connect to OnPrem

or

Connect your sites in different geographic regions to your OnPrem individually and do not use VNET Peering at all

Technically speaking,

In your architecture, if one S2S Fails (let's say East US), it will not be able to connect to OnPrem using other S2S connections

This is an expected behavior and we cannot over ride this.

The reason is because

A VNET can use only one VPN Gateway - either it's own or the one to which it's peered.

It cannot use both at any instant

So, you can have a Hub Spoke as below (no VNET Peering between Spokes and Spokes are only peered to Hub)

Or, below - No peering between the Hubs

Now, I am not sure why you would need a Load Balancing here.

If you are concerned about the throughput and availability of the Tunnel, you should consider,

1.Zone-redundant virtual network gateway

This is for availability

Deploying gateways in Azure availability zones physically and logically separates gateways within a region, while protecting your on-premises network connectivity to Azure from zone-level failures

The two gateway instances will be deployed in any 2 out of the three Availability zones to provide zone-redundancy.

Refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/about-zone-redundant-vnet-gateways

2.Throughput

Gateway SKUs by tunnel, connection, and throughput : https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways#benchmark

Consider using Active-Active Gateways : https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable#dual-redundancy-active-active-vpn-gateways-for-both-azure-and-on-premises-networks

This can create upto 4 Tunnel in a single VPN Connection

This makes sure even if one tunnel goes down, the rest of the 3 remains active

Also, if an instance goes down in one availability zone, another instance in another availability zone will continue to keep 2 remaining connections active

Load Balancing and High availability options are as mentioned above for a VPN Site to Site.

While we cannot directly call this Load Balancing, you can see how it helps to have traffic in 2 Connections and there by, 4 tunnels (2 Tunnel in each connection) helps to improve throughput.

P.S:

I would say the best scenario for your requirement is to go with Azure vWAN with Branch to Branch enabled

Refer : https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-global-transit-network-architecture#hubtohub

Here, everything is connected via vWAN even across regions.

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Please sign in to rate this answer.
Khushboo Kumari 97 Reputation points

2023-08-07T11:03:37.12+00:00

Hi @KapilAnanth-MSFT , Thanks for the information. I want a load balancer here to avoid any VPN connection-down scenarios. My expectation here is that if one S2S is down, there should not be any interruption in services. That's why here I want to do VNET peering and load balancer so that it distributes the load in such scenarios. As our on-prem is only one and there are different regions in Azure to connect .

Thanks!

Khushboo Kumari

KapilAnanth-MSFT 36,861 Reputation points Microsoft Employee

2023-08-07T11:14:31.7033333+00:00

@Khushboo Kumari

Azure S2S and Load Balancer cannot be integrated.

As stated, the options available are to use Active-Active Gateways and Zone-redundant virtual network gateway

"is that if one S2S is down, there should not be any interruption in services."

If a region is down

It affects both VPN Gateway as well as the VMs in that region

So, even if you try to access the VMs in this region by the VNET Peering from a different region - this won't work because the VMs are also down

There is no point of providing connectivity to a region that is down (As VMs are not going to be accessible)

Instead, you should consider Azure Site Recovery to move the VMs to a working region.

And deploy a new VPN Gateway in that region to provide connectivity.

Also, as stated, you cannot use Peering as per your architecture.

I would like to reiterate my answer,

A VNET can use only one VPN Gateway - either it's own or the one to which it's peered.

It cannot use both at any instant

So, having a Peering will not help.

Cheers,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Khushboo Kumari 97 Reputation points

2023-08-07T11:44:17.13+00:00

@KapilAnanth-MSFT , thanks for the information! Can you please provide the article if you have where its mentioned that Azure S2S and Load Balancer cannot be integrated. As per my knowledge we can apply Load Balancer on particular Vnet as in single VNet there might be more than 200 VM so in our scenarios why can't use it.

Thanks!

KapilAnanth-MSFT 36,861 Reputation points Microsoft Employee

2023-08-07T12:00:33.6333333+00:00

@khushboo kumari

Load Balancer backend can only be a VM or VMSS.

And also, a Load Balancer cannot span across Virtual Networks. This means, a load balancer cannot be used to load balance traffic coming in via multiple S2S Connections.

Refer : https://learn.microsoft.com/en-us/azure/load-balancer/skus

Hope this helps.

Cheers,

Kapil

Khushboo Kumari 97 Reputation points

2023-08-07T12:01:00.03+00:00

Hi ,as you mentioned "is that if one S2S is down, there should not be any interruption in services.". In our case S2S is in different region. so in that case how it will work?

Khushboo Kumari 97 Reputation points

2023-08-07T12:27:26.26+00:00

Hi, @KapilAnanth-MSFT

I am still in a doubt related to this statement

If a region is down

It affects both VPN Gateway as well as the VMs in that region
- So, even if you try to access the VMs in this region by the VNET Peering from a different region - this won't work because the VMs are also down

There is no point of providing connectivity to a region that is down (As VMs are not going to be accessible)

My concern is, if there is a VNet, peering established then why, the traffic not go to another region whose s2s is in healthy condition?

KapilAnanth-MSFT 36,861 Reputation points Microsoft Employee

2023-08-07T13:37:52.13+00:00

@Khushboo Kumari,

1.

"is that if one S2S is down, there should not be any interruption in services."

With Active-Active + Zonal Gateways, you get 4 Tunnels

If any one of them fails, you still have 3 left

So, there will not be any interruption in services.

"My concern is, if there is a VNet, peering established then why, the traffic not go to another region whose s2s is in healthy condition?"

This is by design.

As I stated earlier,

A VNET can use only one VPN Gateway
(a)either it's own
(b)or the one to which it's peered.

It cannot use both at any instant.

Explanation as to why this cannot be done:

For a VNet to use another VNet's VPN Gateway, you should enable "Use the remote virtual network's gateway" in the Peering

However, if the VNet itself contains a VPN Gateway, you cannot enable this feature

It will be grayed out - Again, this is by design.

I hope this helps.

Cheers,

Kapil

Khushboo Kumari 97 Reputation points

2023-08-08T05:47:36.9666667+00:00

Hi @KapilAnanth-MSFT ,

if we chose this scenarios then Vm on Vnet 1 is not ping with Vnet 2 and vice-versa. So what is the reason and what changes need to be made to ping with each other?

KapilAnanth-MSFT 36,861 Reputation points Microsoft Employee

2023-08-08T06:08:45.62+00:00

@Khushboo Kumari,

If you go ahead with the above configuration, you should establish a VPN Connection between the VNET1 and VNET2

This will provide connectivity to every site in the diagram.

Refer : Transit routing between your on-premises networks and multiple Azure VNets

The requirement is that BGP should enabled in all the three connections

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Khushboo Kumari 97 Reputation points

2023-08-08T06:31:23.9333333+00:00

Hi @KapilAnanth-MSFT ,

Thanks for the quick response! If we want a VNet-to-VNet connection instead of S2S, will it work or not?

KapilAnanth-MSFT 36,861 Reputation points Microsoft Employee

2023-08-08T06:36:49.24+00:00

@Khushboo Kumari,

You are welcome.

As long as BGP is enabled, it should work.

Cheers,

Kapil.

Please Accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer.

Khushboo Kumari 97 Reputation points

2023-08-08T06:59:53.6433333+00:00

@KapilAnanth-MSFT ,

thanks for the information!

KapilAnanth-MSFT 36,861 Reputation points Microsoft Employee

2023-08-16T11:03:21.2733333+00:00

@Khushboo Kumari,

Kindly Accept the answer, as this can be beneficial to other community members and close this thread.

Cheers,

Kapil

Khushboo Kumari 97 Reputation points

2023-08-18T12:08:48.2733333+00:00

@KapilAnanth-MSFT ,

I have some doubts: should BGP be enabled? Without BGP, is it not working? and what is the role and importance of BGP?

Khushboo Kumari 97 Reputation points

2023-08-18T12:11:57.9066667+00:00

@KapilAnanth-MSFT ,

Is BGP supposed to be enabled? Is it necessary? Without this, is it not working?

KapilAnanth-MSFT 36,861 Reputation points Microsoft Employee

2023-08-25T06:56:02.27+00:00

@Khushboo Kumari,

Yes.

Without BGP, Transit connectivity is not possible - BGP is a must.

Cheers,

Kapil

Kindly Accept the answer, as this can be beneficial to other community members and close this thread.

Benjamin Nguyen 0 Reputation points

2024-01-19T15:29:59.07+00:00

Kapil,

I found your response while doing some research. Does the following statement reign true if the destinations are diverse?

so if vNet1 has a VPN gateway to on-prem1 and vNet2 has a VPN gateway to on-prem2, they still could not use a vNet peering because only one VPN gateway can be elected at a time? One or the other and can never be both even if on-prem1 is 10.1.1.0/24 and on-prem2 is 10.2.2.0/24 (non-overlapping)?

The reason is because

A VNET can use only one VPN Gateway - either it's own or the one to which it's peered.

It cannot use both at any instant

KapilAnanth-MSFT 36,861 Reputation points Microsoft Employee

2024-01-22T07:21:12.8933333+00:00

Benjamin Nguyen

Yes. Your observation is correct.

Azure does not recommend multi Hub models such as above.

If you still want connectivity, you must create a S2S between VPN gateway of vNet1 and VPN gateway of vNet2 instead of peering with BGP enabled.

Cheers,

Kapil
Sign in to comment

Share via

How to do VNet peering's among the multiple S2S VPN connection?

1 answer