Share via

Expressroute gateway and S2S gateway coexist under different subscriptions

Adi Wibowo (AP) 0 Reputation points
2024-01-24T07:43:48.4933333+00:00

We have using S2S VPN for connecting our on-prem office with Azure instances..recently we are planning to establish ER as main connectivity from partner provider in which they offered ER gateway will be using their subscription instead of our own subscription.

the concerning point is, we would like to utilize current S2S VPN as backup/coexist with future ER, in which both have different subscriptions and most likely will be using different gateway subnet, can it be done ? thanks Adi

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,401 questions
Azure ExpressRoute
Azure ExpressRoute
An Azure service that provides private connections between Azure datacenters and infrastructure, either on premises or in a colocation environment.
326 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. GitaraniSharma-MSFT 48,006 Reputation points Microsoft Employee
    2024-01-25T10:37:31.98+00:00

    Hello @Adi Wibowo (AP) ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you have an existing S2S VPN connection and are planning to deploy an ExpressRoute circuit as the main connection and use S2S VPN as the back-up, but the S2S VPN and ExpressRoute gateways will be in different subscriptions. So, you would like to know if it is possible to configure ExpressRoute and Site-to-Site coexisting connections using different gateway subnets and subscriptions.

    No, this is not possible.

    As the name suggests, coexisting connections means both the connections co-exists together in the same Vnet but could connect to the same site or different sites depending upon your requirement.

    This connection applies only to virtual networks linked to the Azure private peering path. There's no VPN-based failover solution for services accessible through Azure Microsoft peering. The ExpressRoute circuit is always the primary link. Data flows through the Site-to-Site VPN path only if the ExpressRoute circuit fails.

    So, to configure ExpressRoute and Site-to-Site coexisting connections, you would need to deploy the ExpressRoute gateway in the same subscription and GatewaySubnet as the S2S VPN gateway.

    Points to remember are as below:

    • The gateway subnet must be /27 or a shorter prefix such as /26, /25.
    • Only route-based VPN gateway is supported.
    • ExpressRoute-VPN Gateway coexist configurations are not supported on the Basic SKU.

    Refer: https://learn.microsoft.com/en-us/azure/expressroute/how-to-configure-coexisting-gateway-portal#limits-and-limitations

    https://learn.microsoft.com/en-us/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering

    https://www.microsoft.com/en-gb/industry/blog/technetuk/2022/12/16/azure-expressroute-explained/

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please don’t forget to "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.

    0 comments