Site-to-Site VPN with VNET Gateway between two Azure stacks

Question

Wonder if anyone has this requirement before?

We'll have two Azure stacks sitting in two different datacenter. (kinda private Azure cloud with multi-site support).

Application will be running inside the stack (active-active with replication at the application level). Application will be exposed to the external users via external IP in Azure LB for redundancy, but not to the internet, just internal users. So, replication is done privately over two VNETs in the stacks.

In order to establish that connection between the VMs in the two stacks, we need to have site-to-site VPN connection. Stack hub provides VNET gateway with maximum of 200 Mbps (High Perf SKU): https://learn.microsoft.com/en-us/azure-stack/user/azure-stack-vpn-gateway-settings?view=azs-2108#gateway-skus

The communication between resources of the two stacks should be transparent regardless of the location.

Now, question is how to achieve throughput greater than 200 Mbps between two stacks?

I can see stack can get a maximum of 2 Gbps on aggregate, but that means it's achievable via 10 instances of VNET gateway which we don't need. We'll only have one VNET per resource groups.

Thinking we should have our own VPN device and do S2S VPN ourselves, but then to have a redundancy, we need an LB instance. Now, stack only supports a Basic LB, (No support for standard LB), this means "HA Ports" feature is not supported at all. (HA Ports is needed to have an NVA device as a backend).

(HA Ports: https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-ha-ports-overview#why-use-ha-ports)

Any suggestions/thoughts?

Thanks,
RK

Answer 1

@Reymond Keiluhu Thank you for reaching out to Microsoft Q&A. I understand that you want to setup connection between your 2 stacks in Azure and be able to achieve high BW i.e., about 2 Gbps which your stack in giving you currently. Since S2S VPNs have BW limitations as you mentioned, I would suggest you to go with Vnet Peering as it has the following advantages:

The benefits of using virtual network peering are as follows:

• A low-latency, high-bandwidth connection between resources in different virtual networks.
• The ability of resources in one virtual network to communicate with resources in a different virtual network.
• The ability to transfer data between virtual networks across different subscriptions and Azure Active Directory tenants.
• No downtime to resources in either virtual network when creating the peering, or after the peering is created.
• Network traffic between peered virtual networks is private. Traffic between virtual networks is kept in the infrastructure layer. No public internet, gateways, or encryption is required in the communication between virtual networks.

Regarding this statement, could you please explain in more detail about this so I can understand and assist better? Thank you!

Please let us know if you have any further questions and we will be glad to assist you further. Thank you!

Remember:

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Want a reminder to come back and check responses? Here is how to subscribe to a notification.

Answer 2

@SaiKishor-MSFT ,

Thanks for your response.

As far as I know, Azure stack does not support global peering. I understood we can do VNET peering between the two VNETs in the same stack (i.e same region). However, as we'll have two stacks sitting on different DC, it's going to be different region, therefore, VNET peering is not supported. I wish I could use this as well, it's more simpler.

See articles here:

https://learn.microsoft.com/en-us/azure-stack/user/virtual-network-peering?view=azs-2108#does-azure-stack-hub-support-global-vnet-peering
https://learn.microsoft.com/en-us/azure-stack/user/virtual-network-peering?view=azs-2108#can-i-peer-my-virtual-network-in-azure-stack-hub1-to-a-virtual-network-in-azure-stack-hub2

RK