Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
From your verbatim,
- You have 2 OnPrem sites connected to a VPN Gateway, S1 and S2
- You would like to forward 0.0.0.0/0 traffic to Azure via VPN Gateway for both the sites S1 and S2
- For S1, you would like to forward the traffic to a NVA(10.0.0.6) in Azure VNET
- For S2, you would like to forward the traffic to a different site, say S3
Observation,
- I am afraid neither of the above is possible with traditional VPN Gateway
- You have to use Virtual WAN with a combination of Forced tunneling and custom routing via NVA to match your requirement
- Even with this, I doubt you will be able to achieve the requirement
- With a traditional S2S, you cannot advertise 0.0.0.0/0 to the Sites S1 and S2, and hence, internet traffic will not reach the VPN Gateway from S1 or S2.
With vWAN,
- Only the destination IP is used to configure the nextHop
- i.e., when 0.0.0.0/0 is destination, we can define the nextHop
- But with S1 or S2's address space as source, we cannot define anything for the traffic.
With that said,
- Assume all the 3 sites, S1, S2 and S3 are connected to the vWAN VPN Gateway
- First, advertise 0.0.0.0 routes from S3 - this is called Forced Tunneling
- Now, only for the site S2, enable the flag as mentioned above.
- This will make sure S2 learns 0.0.0.0/0 and nextHop is S3
- Your requirement 2 is met here.
- Since you don't want Azure and S1's traffic to be going to S3,
- Simply, do not enable the flag
- Use Custom Routing to route 0.0.0.0/0 to the NVA by attaching a Route Table to the Branch Connection
- Follow the configuration steps in Alternate workflow
I understand this is complex, but so is the requirement.
You have to use Azure VWAN, if you want to meet both the requirements.
Cheers,
Kapil