question

Steiner-8362 avatar image
0 Votes"
Steiner-8362 asked bhargaviannadevara-msft edited

Multiple ExpressRoutes connected through individual NVAs to other VNets

Hello,

Each location has it's on ExpressRoute circuit, NVA and accesses shared resources in a location. For example,

California office - 192.168.8.0/24
Hong Kong office - 192.168.70.0/24
Paris office - 192.168.55.0/24

Connected via ExpressRoute Circuit to the following Azure VNets
West US for California Office, West US has a VNet: 10.0.0.0/24; the VNet has an NVA which filters traffic and a ExpressRoute Gateway in the gateway subnet which routes on premise network traffic (192.168.8.0/24) to Azure resources through the NVA.
East Asia for Hong Kong Office, East Asia has a VNet: 10.2.0.0/24; the VNet has an NVA which filters traffic and a ExpressRoute Gateway in the gateway subnet which routes on premise network traffic (192.168.70.0/24) to Azure resources through the NVA.
West Europe has a VNet 172.20.0.0/16 which is peered with 10.0.0.0/24 and 10.2.0.0/24.

It is impossible for the Shared VNet (West Europe - 172.20.0.0/16) to have with multiple virtual network gateways (one for West US and another for East Asia), if both locations (West US and East Asia) require access to the resources in the Shared VNet, how can this be configured?

136998-multiple.jpg


azure-expressroute
multiple.jpg (40.7 KiB)
· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @Steiner-8362, Thank you for reaching out. I am not so sure if I have understood the question correctly.
A virtual network can have two virtual network gateways; one VPN gateway and one ExpressRoute gateway. For your VNets in West US (10.0.0.0/24) and East Asia (10.0.2.0/24) Can't you have a VPN gateways for these VNets and access the resources in the shared vnet via vnet peering? Please refer to this document for additional details


0 Votes 0 ·
Steiner-8362 avatar image Steiner-8362 ChaitanyaNaykodiMSFT-9638 ·

Hello @ChaitanyaNaykodiMSFT-9638 ,

The idea is to have shared resources in a single location (VNet) with different geographical locations connected via ExpressRoute circuits access these resources. From what I have read, I have not seen that this architecture is possible.

As in the diagram attached, the office locations (192.168.8.0/24 and 192.168.70.0/24) are connected via ExpressRoute circuits to unique VNets (10.0.0.0/24 and 10.2.0.0/24) and accessing resources in "Shared VNet" (172.20.0.0/16).

Using S2S VPN is not the preferred/desired primary solution, this is why ER circuits are considered.

I am assuming this is a limitation with ER circuits, if not, how can the desired architecture be achieved with ER circuits?

0 Votes 0 ·

Hello @Steiner-8362, apologies for the delay here, I was discussing this issue internally with the team.

We think desired outcome is possible using Express Route circuit with a Premium addon. ExpressRoute premium add-on, you can link virtual networks outside of the geopolitical region of the ExpressRoute circuit. The premium add-on will also allow you to connect more than 10 virtual networks to your ExpressRoute circuit depending on the bandwidth chosen. You can link a VNet created in Europe West to an ExpressRoute circuit created in California and Hong Kong.
You can go through this FAQ Document for additional details on this feature and how to enable it.

Hope this helps. Please let us know if you have any additional concerns or questions. Thank you!



0 Votes 0 ·
Show more comments

0 Answers