Dear Team, We have requirement to connect to an Vendor cloud from the On-prem through Azure using the ExpressRoute, Azure Firewall &VPN Gateway. Below is the flow we planned, We have 2 different Data centers in On-prem to connect to Vendor Cloud using Azure ExpressRoute. Our Plan is to Setup 2 different ExpressRoute Circuit (Same Virtual Network, but different Peering Locations) in Azure, one circuit for 1 on-prem data center. But we would like to know below possibilities, If we can attach the Single ExpressRoute Gateway to both these ExpressRoute Circuit to Forward Traffic into Azure Firewall? Or Can we create One ExpressRoute Circuit and connect from 2 Different Data Centers to receive traffic and then forward to Azure Firewall? Or Any other possible options available to achieve this? Basically, I need connection to be established from 2 On-prem Data Centers (Active-Active) either using 2 ExpressRoute Circuit (1 for each Data Center) & 1 ExpressRoute Gateway (Common for both ExpressRoute Circuit) OR 1 ExpressRoute Circuit (Common for both On-prem Data Center) & 1 ExpressRoute Gateway. Please advise the best & supported possibilities to implement this.

@Karthik Rajendiran , Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well. May I ask if DC1 and DC2 are in the same region or in same geopolitical area? I believe it should be in region(s) in the same geopolitical area, but please confirm As long as they are in the same geopolitical area, and you are planning to use the same Service Provider (assuming they support in case of different regions in the same geopolitical area) , you can use a single ExpressRoute Circuit. Make sure the SKU of the circuit is Standard If your requirement is only one region , you can also consider ExpressRoute Local Make sure to review it's limitations as well You can find a detailed comparison of SKUs here : Even if you were to use 2 different Circuits (for redundancy across Service Providers) This set up would work Note that The maximum number of ExpressRoute circuits from the same peering location that can connect to the same virtual network is 4 for all gateways SKU Refer : Gateway SKU Comparison If you are connecting 2 Circuits to this gateway (From same peering location), you can connect 2 more Circuits to this gateway from the same peering location. The only advantage I can think of having two circuits over one is redundancy (across Service Providers). Please let us know if we can be of any further assistance here. Thanks, Kapil Please Accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer.

Connecting Multiple ExpressRoute Circuit into Single ExpressRoute Gateway or Using Single ExpressRoute Circuit & gateway for 2 On-prem Data Centers

Karthik Rajendiran 0

Dear Team,

We have requirement to connect to an Vendor cloud from the On-prem through Azure using the ExpressRoute, Azure Firewall &VPN Gateway. Below is the flow we planned,

User's image

We have 2 different Data centers in On-prem to connect to Vendor Cloud using Azure ExpressRoute. Our Plan is to Setup 2 different ExpressRoute Circuit (Same Virtual Network, but different Peering Locations) in Azure, one circuit for 1 on-prem data center. But we would like to know below possibilities,

If we can attach the Single ExpressRoute Gateway to both these ExpressRoute Circuit to Forward Traffic into Azure Firewall?
Or Can we create One ExpressRoute Circuit and connect from 2 Different Data Centers to receive traffic and then forward to Azure Firewall?
Or Any other possible options available to achieve this?

Basically, I need connection to be established from 2 On-prem Data Centers (Active-Active) either using 2 ExpressRoute Circuit (1 for each Data Center) & 1 ExpressRoute Gateway (Common for both ExpressRoute Circuit) OR 1 ExpressRoute Circuit (Common for both On-prem Data Center) & 1 ExpressRoute Gateway.

Please advise the best & supported possibilities to implement this.

Karthik Rajendiran 0 Reputation points

2024-10-01T06:37:23.3366667+00:00

Dear Microsoft Team,

Did you got chance to check this request and help to understand more details.
Karthik Rajendiran 0 Reputation points

2024-10-01T08:34:27.0266667+00:00
@KapilAnanth-MSFT

Our Plan is to Use the 2 ExpressRoute circuit for 2 Data Center is because of redundancy. Even if one goes down, we can still connect from another data center.

I believe it should be in region(s) in the same geopolitical area, but please confirm -> Yes, they are placed in Same Geopolitical region, but not on Same region.

Both the ExpressRoute Circuit will be deployed in Same Azure region & Same VNet. But the Peering Location & provider will be Different for each ExpressRoute Circuit. The ExpressRoute Gateway will also be deployed in same Azure region & Same VNet as Circuit.

We were planning to attach a Single ExpressRoute Gateway to both this ExpressRoute Circuit to forward the Traffic to Azure Firewall which also deployed in same Azure Region & VNet as circuit & gateway.

We would like know if we could configure 2 ExpressRoute circuit in Same Azure region & VNet, but different Peering locations & Providers to a Single ExpressRoute Gateway which is also in Same Azure Region & VNet. Can we route Traffic like this?

1 answer

KapilAnanth-MSFT 46,676 Reputation points Microsoft Employee

2024-10-01T05:27:58.83+00:00
@Karthik Rajendiran ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

May I ask if DC1 and DC2 are in the same region or in same geopolitical area?

I believe it should be in region(s) in the same geopolitical area, but please confirm

As long as they are in the same geopolitical area, and you are planning to use the same Service Provider (assuming they support in case of different regions in the same geopolitical area) , you can use a single ExpressRoute Circuit.

Make sure the SKU of the circuit is Standard

If your requirement is only one region , you can also consider ExpressRoute Local

Make sure to review it's limitations as well

You can find a detailed comparison of SKUs here :

Even if you were to use 2 different Circuits (for redundancy across Service Providers)

This set up would work

Note that The maximum number of ExpressRoute circuits from the same peering location that can connect to the same virtual network is 4 for all gateways SKU

Refer : Gateway SKU Comparison

If you are connecting 2 Circuits to this gateway (From same peering location), you can connect 2 more Circuits to this gateway from the same peering location.

The only advantage I can think of having two circuits over one is redundancy (across Service Providers).

Please let us know if we can be of any further assistance here.

Thanks,

Kapil

Please Accept an answer if correct.

Original posters help the community find answers faster by identifying the correct answer.
Please sign in to rate this answer.
Karthik Rajendiran 0 Reputation points

2024-10-01T08:34:57.5866667+00:00

@KapilAnanth-MSFT

Our Plan is to Use the 2 ExpressRoute circuit for 2 Data Center is because of redundancy. Even if one goes down, we can still connect from another data center.

I believe it should be in region(s) in the same geopolitical area, but please confirm -> Yes, they are placed in Same Geopolitical region, but not on Same region.

Both the ExpressRoute Circuit will be deployed in Same Azure region & Same VNet. But the Peering Location & provider will be Different for each ExpressRoute Circuit. The ExpressRoute Gateway will also be deployed in same Azure region & Same VNet as Circuit.

We were planning to attach a Single ExpressRoute Gateway to both this ExpressRoute Circuit to forward the Traffic to Azure Firewall which also deployed in same Azure Region & VNet as circuit & gateway.

We would like know if we could configure 2 ExpressRoute circuit in Same Azure region & VNet, but different Peering locations & Providers to a Single ExpressRoute Gateway which is also in Same Azure Region & VNet. Can we route Traffic like this?

KapilAnanth-MSFT 46,676 Reputation points Microsoft Employee

2024-10-01T10:47:32.2766667+00:00

@Karthik Rajendiran ,

For redundancy, yes, you can consider using two circuits in the two regions.

Wrt, "We would like know if we could configure 2 ExpressRoute circuit in Same Azure region & VNet, but different Peering locations & Providers to a Single ExpressRoute Gateway which is also in Same Azure Region & VNet"

Yes.

This can be done.

The maximum number of ExpressRoute circuits from the same peering location that can connect to the same virtual network is 4.

A single virtual network can be linked to up to 16 ExpressRoute circuits in total.

NOTE :

I see you mentioned "Both the ExpressRoute Circuit will be deployed in Same Azure region & Same VNet."

Please note that ExpressRoute Circuit has no dependency over VNET, only the ExpressRoute Gateway

I would suggest you deploy one ExpressRoute Circuit on the DC1's region and other ExpressRoute Circuit on the DC2's region instead of VNET/ExpressRoute gateway's region

One more thing I noticed in your design and requirement is (wrt Vendor Cloud via S2S),

If you want to use transit routing between ExpressRoute and VPN, the ASN of Azure VPN Gateway must be set to 65515, and Azure Route Server should be used.

See : Limits and limitations of ExpressRoute and site-to-site coexisting

You will not be able to pass the traffic via Azure Firewall and then to the VPN S2S.

The traffic will go directly.

So consider filtering traffic in the OnPrem (DC1 and DC2) itself.

Hope this adds more clarity.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Karthik Rajendiran 0 Reputation points

2024-10-02T09:05:06.1+00:00

@KapilAnanth-MSFT ,

I Plan to configure both the ExpressRoute Circuits on Same Azure Region (West Europe) & Single Virtual Network (ex. 10.1.0.0/16), but the Peering locations of both Circuits are different (Circuit 1 -> Amsterdam & Circuit 2 -> London).

ExpressRoute Gateway will also be deployed in same VNet (10.1.0.0/16) & VPN Gateway to create S2S connection to Vendor Cloud will also be deployed in same VNet (10.1.0.0/16). For this, you said that we should configure the ASN of VPN Gateway set as 65515 which is default & Azure Route Server should be used.

Regarding to your below comment, we were planning to route the Traffic from ExpressRoute Gateway to the Azure Firewall which is also deployed in same VNet (10.1.0.0/16) & then to the VPN Gateway deployed on same VNet again (10.1.0.0/16). But you said we cannot Pass the Traffic to Azure firewall & then to VPN S2S from the ExpressRoute Gateway?

You will not be able to pass the traffic via Azure Firewall and then to the VPN S2S.

The traffic will go directly.

KapilAnanth-MSFT 46,676 Reputation points Microsoft Employee

2024-10-03T06:29:02.3+00:00

@Karthik Rajendiran ,

Yes, that is correct.

If you want to route the traffic via Azure Firewall, you should consider using a vWAN with secured virtual hub with Private Traffic Routing Intent enabled.

See : Virtual WAN Hub routing intent and routing policies

Standard Hub and Spoke Virtual Network Gateway coexistence does not support Branch to Branch routing via Azure Firewall or any other NVA

Branch to Branch is supported provided that Azure Route Server is configured in the Hub VNET.

This is by design.

See : ExpressRoute and site-to-site coexisting

Thanks,

Kapil

Please Accept an answer if correct.

Original posters help the community find answers faster by identifying the correct answer.

Karthik Rajendiran 0 Reputation points

2024-10-03T13:49:27.4666667+00:00

@KapilAnanth-MSFT

Our Requirement is to forward the Incoming Traffic from ExpressRoute through the Azure Firewall & then to VPN S2S.

We are thinking of below topology to route this traffic via Azure Firewall,

Incoming Traffic from ExpressRoute Gateway will be Routed to Azure Firewall, since this Traffic cannot directly pointed to VPN S2S, we are thinks of deploying one Spoke VNet between Azure Firewall & VPN S2S, establish VNet-to-VNet connection between Spoke VNet & VPN S2S?

ExpressRoute Gateway -> Azure Firewall -> Spoke VNet - VPN Gateway (VNet-to-VNet connection) -> VPN Gateway S2S -> Vendor Cloud?

Could you please confirm if this Flow can be Feasible here?

Or Is there any other way to Route our Traffic through Azure Firewall? We definitely need to Route this On-prem to Vendor Cloud Traffic through Azure Firewall.

KapilAnanth-MSFT 46,676 Reputation points Microsoft Employee

2024-10-04T05:44:10.6866667+00:00

@Karthik Rajendiran ,

Greetings.

I doubt the configuration you mentioned would work,

ExpressRoute Gateway (Hub) -> Azure Firewall -> VPN Gateway (Hub) -> Spoke VNet's VPN Gateway (VNet-to-VNet connection) -> Vendor Cloud?

Even in this configuration, the same problem exists.

Now from ExpressRoute Gateway (Hub) to VPN Gateway (Hub), traffic would never leave the GatewaySubnet.

Meaning, it would not pass to the Azure Firewall at all.

The recommended and best approach to achieve this would be to use vWAN with secured virtual hub with Private Traffic Routing Intent enabled as mentioned.

While the below is complex and is not recommended because of the overhead, you can try to achieve something similar to Azure Firewall to route a multi hub topology.

This involves a lot of manual routing to route traffic between OnPREM and Vendor

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Connecting Multiple ExpressRoute Circuit into Single ExpressRoute Gateway or Using Single ExpressRoute Circuit & gateway for 2 On-prem Data Centers

1 answer

Your answer