Share via

Vnet peering with 2 vnets that have gateways with S2S connections.

Moses Morales 20 Reputation points
2024-07-17T14:01:41.2633333+00:00

User's image

So I have a scenario where we have 2 data centers that don't have interconnectivity. Clients in both data centers need to access resources in Azure. If you look at the image, Data Center 1 needs to allow communication to Spoke 1 and Spoke 1 needs to reach resources in Data Center 1. This works great. Recently clients in Data Center 2 have also needed access to Spoke 1 in Azure. We setup another "Hub" vnet with a gateway and S2S connection back to Data Center 2. Clients in Data Center 2 need access to Spoke 1 but Spoke 1 doesn't need to access anything in Data Center 2. With the current setup clients in Data Center 2 can speak to the Hub 2 vnet but can't go across the peer to Spoke 1. I'm not sure if this setup should work, and if it can't work, I am looking for another solution to address our needs. Any help would be appreciated.

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,288 questions
0 comments
Accepted answer
  1. KapilAnanth-MSFT 40,996 Reputation points Microsoft Employee
    2024-07-18T04:42:14.11+00:00

    @Moses Morales ,

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I understand that you would like to know if you could enable Gateway Transit for 2 VNET Peerings.

    Unfortunately, this is not possible.

    See : FAQ | Can I peer a virtual network to two virtual networks with the Use Remote Gateway option enabled on both peerings?

    • i.e., if you have already enabled "Use Remote Gateway" in the peering between Spoke1 and Hub1, you cannot do the same between Spoke1 and Hub2
    • So, OnPrem connected to Hub2 will not be able to communicate to Spoke1 and vice versa.

    If you are interested in the above,

    • You can do this using Static Routing however please note that this kinds of set up are not recommended
    • We recommend single Hub and multi spoke configurations and yours is something similar to a multi Hub set up.

    How to:

    • You will require an Azure Firewall or similar NVA deployed in the Hub2.
    • On the GatewaySubnet of the Hub2,
      • Attach a UDR with Spoke1's address range and point the nextHop as AzureFirewall's Private IP
      • This way, traffic destined to Spoke1 from Datacenter2 will go to Firewall.
    • On all the subnets of the Spoke1,
      • Attach a UDR with Datacenter2's address range and point the nextHop as AzureFirewall's Private IP
      • This way, traffic destined to Datacenter2 from Spoke1 will go to Firewall.
    • So, the Azure Firewall here acts as an intermediatory and facilitates the communication between Spoke1 and Datacenter2

    These documents may come in handy,

    Please let us know if we can be of any further assistance here.

    Thanks,

    Kapil

    Please Accept an answer if correct.

    Original posters help the community find answers faster by identifying the correct answer.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest