is it possible Multiple s2s with s2s connections with each vnet?

Question

is it possible Multiple s2s with s2s connections with each vnet?

Khushboo Kumari 107

Hi,

I want to know, if we have one on-prem connected to two azure vnet through the s2s. Is it possible to make the s2s connection in between two azure vnet ? and if one s2s down or disconnected , lets suppose on-prem to NE cloud is down on that case, is the resources of NE Cloud reach to the on-prem through the sa-cloud?

User's image

Jackson Martins 10,606 Reputation points MVP Volunteer Moderator

2023-08-25T10:49:04.0266667+00:00

Hi

Yes, what you're describing is essentially creating a hub-and-spoke topology using Azure Virtual Networks (VNets) and on-premises connectivity.

You can connect your onpremise environment to two vpns gateways, and in that case you have three scenarios

1 - On-premises to Azure VNet Connections: You can establish Site-to-Site (S2S) VPN connections from your on-premises network to each of the two Azure VNets. This makes the on-premises network act as a hub with the two Azure VNets being the spokes.

2 - Peering: Within Azure, another option to connect VNets is VNet peering. This allows VNets to communicate directly without the need for a VPN gateway

3 - VNet-to-VNet Connection: You can also establish a connection between the two Azure VNets directly. This allows resources in one VNet to communicate with resources in the other VNet.

reference: https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli

Get in touch if you need more help with this issue.

--please don't forget to "[Accept the answer]" if the reply is helpful--
Khushboo Kumari 107 Reputation points

2023-08-25T11:53:38.03+00:00

Hi,

thanks for the response ! Here I want all the connection should be s2s. and if one s2s down or disconnected , lets suppose on-prem to NE cloud is down on that case, is the resources of NE Cloud reach to the on-prem through the sa-cloud?
Khushboo Kumari 107 Reputation points

2023-08-25T11:55:26.5166667+00:00

and the on-prem resources should also be reachable to NE-cloud .
Jackson Martins 10,606 Reputation points MVP Volunteer Moderator

2023-08-25T13:22:27.14+00:00

Hi @Khushboo Kumari
if I understood, you need a highly available VPN, in this case, you will need to use a BGP routing and configure it with you on-premise gateway

See the information on the link bellow?

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-activeactive-rm-powershell#about-highly-available-cross-premises-connections

1 answer

Your answer

Jackson Martins 10,606 Reputation points MVP Volunteer Moderator

2023-08-25T10:49:04.0266667+00:00

Hi

Yes, what you're describing is essentially creating a hub-and-spoke topology using Azure Virtual Networks (VNets) and on-premises connectivity.

You can connect your onpremise environment to two vpns gateways, and in that case you have three scenarios

1 - On-premises to Azure VNet Connections: You can establish Site-to-Site (S2S) VPN connections from your on-premises network to each of the two Azure VNets. This makes the on-premises network act as a hub with the two Azure VNets being the spokes.

2 - Peering: Within Azure, another option to connect VNets is VNet peering. This allows VNets to communicate directly without the need for a VPN gateway

3 - VNet-to-VNet Connection: You can also establish a connection between the two Azure VNets directly. This allows resources in one VNet to communicate with resources in the other VNet.

reference: https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli

Get in touch if you need more help with this issue.

--please don't forget to "[Accept the answer]" if the reply is helpful--
Khushboo Kumari 107 Reputation points

2023-08-25T11:53:38.03+00:00

Hi,

thanks for the response ! Here I want all the connection should be s2s. and if one s2s down or disconnected , lets suppose on-prem to NE cloud is down on that case, is the resources of NE Cloud reach to the on-prem through the sa-cloud?
Khushboo Kumari 107 Reputation points

2023-08-25T11:55:26.5166667+00:00

and the on-prem resources should also be reachable to NE-cloud .
Jackson Martins 10,606 Reputation points MVP Volunteer Moderator

2023-08-25T13:22:27.14+00:00

Hi @Khushboo Kumari
if I understood, you need a highly available VPN, in this case, you will need to use a BGP routing and configure it with you on-premise gateway

See the information on the link bellow?

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-activeactive-rm-powershell#about-highly-available-cross-premises-connections

Answer 1

GitaraniSharma-MSFT 50,096 Microsoft Employee Moderator

Hello @Khushboo Kumari ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you would like to know if it is possible to make a site-to-site VPN connection between two Azure Vnets which are already connected to on-premises via S2S VPN.

Yes, it is possible to make a site-to-site VPN connection between two Azure Vnets which are already connected to on-premises via S2S VPN.

If you're working with a complicated network configuration, you may prefer to connect your VNets by using a Site-to-Site connection instead. When you follow the Site-to-Site IPsec steps, you create and configure the local network gateways manually. The local network gateway for each VNet treats the other VNet as a local site. These steps allow you to specify additional address spaces for the local network gateway to route traffic. If the address space for a VNet changes, you must manually update the corresponding local network gateway.

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal#site-to-site-ipsec

Now, coming to your second question of VPN failover:

If one s2s is down or disconnected, let's suppose on-prem to NE cloud is down, in that case, will the resources of NE Cloud reach to the on-prem through the SA cloud?

Yes, it is possible in the below 2 cases:

If the local network gateway on NE cloud Vnet connecting to SA cloud have the on-premises network address range as well, then resources of NE Cloud can reach to the on-premises through the SA cloud.
Enable BGP on all connections, which can help in automatic route propagation. Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-bgp-overview

Kindly let us know if the above helps or you need further assistance on this issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Khushboo Kumari 107 Reputation points

2023-08-28T04:21:11.43+00:00
@GitaraniSharma-MSFT , Thanks for the information. As you mentioned in your first solution, did you mean that we have to add the address space of the NE cloud Vnet address space to the SA cloud local network gateway or connection on the on-premises side as well?

If the local network gateway on NE cloud Vnet connecting to SA cloud have the on-premises network address range as well, then resources of NE Cloud can reach to the on-premises through the SA cloud.
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-08-28T11:46:01.4166667+00:00
Hello @Khushboo Kumari ,

When you create a S2S connection between 2 Vnets, you configure the local network gateways manually. The local network gateway for each VNet treats the other VNet as a local site.

So, the local network gateway on NE cloud Vnet will treat SA cloud as a local site and the local network gateway on SA cloud will treat NE cloud as a local site.

Hence, you need the below:

Local network gateway on NE cloud Vnet (LNG1, which is connecting to SA cloud) should have the address ranges for SA cloud and the on-premises network.

Local network gateway on SA cloud Vnet (LNG2, which is connecting to NE cloud) should have the address ranges for NE cloud and on-premises network.

And the on-premises VPN device should have routes for both SA cloud and NE cloud.

When you have the above, the resources of NE Cloud can reach to the on-premises through the SA cloud.

Regards,

Gita
Khushboo Kumari 107 Reputation points

2023-08-28T13:56:14.55+00:00

@GitaraniSharma-MSFT ,

thanks for the information. I just want to confirm, like as you mentioned I had done the same thing but my concern here is that should I need to add the address space of NE vnet in the configuration of on-prem SA cloud as well?
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-08-29T09:32:37.2233333+00:00
Hello @Khushboo Kumari , I'm not sure I understand your question. What are you referring to as on-prem SA cloud?

From your initial screenshot, there are 3 parties involved:

Your on-premises network

Azure Vnet named NE Cloud

Azure Vnet named SA Cloud.

And all 3 are connected to each other using S2S VPN connection.

So, my suggestion was to make sure to add all the address ranges to all the 3 parties.

Local network gateway on NE cloud Vnet (LNG1, which is connecting to SA cloud) should have the address ranges for SA cloud and the on-premises network.

Local network gateway on SA cloud Vnet (LNG2, which is connecting to NE cloud) should have the address ranges for NE cloud and on-premises network.

And the on-premises VPN device should have routes for both SA cloud and NE cloud.

What is the VPN device configured in your on-premises? Could you share the device model and OS version?

Regards,

Gita

Share via

is it possible Multiple s2s with s2s connections with each vnet?

1 answer

Your answer