Network segmentation and IPSec VPN

Artem Kulikovskyi 21 Reputation points
2020-06-19T09:39:34.617+00:00

There is an address space on the Azure site
10.20.70.0/16
I want to create subnets in it
10.20.70.0/27
10.20.70.32/27
10.20.70.64/27
10.20.70.96/27
I don't want to indicate a bunch of second phases in the IPsec tunnel, each of which will refer to its own subnet. And make only one that will refer to
10.20.70.0/24.
Will it work like that, and will it be stable?
I understand that if the connection drops from 10.20.70.0/24, all subnets will not be available and if I configure connections to the subnets separately, then if one connection fails, the others would remain to work.
I am more interested in the issue of the operation of the IPsec protocol itself. Which way is better to configure? Multiple / 27 connections in the tunnel - to each subnet, or will one / 24 connection work just as well?

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,451 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,289 questions
0 comments No comments
{count} votes

Accepted answer
  1. msrini-MSFT 9,271 Reputation points Microsoft Employee
    2020-06-20T21:53:42.317+00:00

    Hi,

    You configure the Traffic Selector as the entire address space of your VNET. That is the recommended TS config from Microsoft end.

    When Azure negotiates, we uses 0.0.0.0 as TSi and based on what you have configured, we narrow it down. So its best you configure the entire address space of the VNET, in this case, its 10.20.70.0/16

    Regards,
    Msrini

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful