Do you have to setup BGP to get transitive routing to work between User VPN (P2s) and on-prem VPN Site connections in a Virtual WAN?

FlatulentMonk 21 Reputation points

I have an Azure Virtual WAN with a User VPN configured and 3 Site-to-Site connections. The P2S connects and can access VMs in Azure but when I try to connect to on-prem resources from the P2S connection, it fails. The S2S connection works between on-prem and Azure Vnets. The problem is transitive routing between User VPN connections and on-prem. Other posts suggest you have to configure BGP on the S2S VPNs but those are referring to Virtual Network Gateway VPNs and not Virtual WAN. Do you have to configure BGP on each VPN site connection to get this to work in vWAN as well? Second question is if I bring in ExpressRoute will I have any issues with transitive routing?

Azure Virtual WAN
Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
129 questions
0 comments No comments
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 32,811 Reputation points Microsoft Employee

    Hello @FlatulentMonk ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    To setup connectivity from the remote user to on-premises via Virtual WAN, you have two options:

    1) Set up Site-to-site connectivity with any existing VPN device. When you connect the IPsec VPN device to Azure Virtual WAN hub, interconnectivity between the Point-to-site User VPN (Remote user) and Site-to-site VPN is automatic.

    2) Connect your ExpressRoute circuit to the Virtual WAN hub. Connecting an ExpressRoute circuit requires deploying an ExpressRoute gateway in Virtual WAN. As soon as you have deployed one, interconnectivity between the Point-to-site User VPN and ExpressRoute user is automatic.

    Please refer :

    Most possible cause of it not working in your case could be the below:

    On the P2S User side, do you see the on-premises routes getting added to the VPN client?
    Once connected to Azure Point to site VPN, the VPN client should get the routes from Azure VPN gateway, which are stored in this path - C:\Users\UserName\AppData\Roaming\Microsoft\Network\Connections\cm\<VirtualNetworkId\routes.txt

    If the on-premise routes are missing, you can manually add those routes in the routes.txt notepad. After adding the routes, check if you are able to access on-premises sites from P2S VPN client.

    Other things to check:
    Is it same vHUB or across vHUBs?
    Do you have any Firewall in the middle?

    Virtual WAN allows transit connectivity between VPN and ExpressRoute. This implies that VPN-connected sites or remote users can communicate with ExpressRoute-connected sites. There is also an implicit assumption that the Branch-to-branch flag is enabled and BGP is supported in VPN and ExpressRoute connections.

    Bringing ExpressRoute to the setup will not affect transitive routing but as mentioned above, you need BGP on your VPN to be able to connect to ExpressRoute-connected sites from your VPN-connected sites.
    Please refer :

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

0 additional answers

Sort by: Most helpful