question

ZuperKC-5586 avatar image
0 Votes"
ZuperKC-5586 asked GitaraniSharmaMSFT-4262 commented

Problem on creating VPN gateway on existing Vnet

Hi there,

Below is the background of the existing and propose setup of the Azure Network.

Existing

<HK> ---S2S VPN---<VNET1> ---PEERINGS--- <VNET2>

  • <VNET1> is located at East Asia and <VNET2> is located at SouthEast Asia

  • There are workloads sitting on both <VNET1> and <VNET2> and access by user from HK

  • There is a peering between <VNET1> and <VNET2> with gateway transit

Propose

<HK> ---S2S VPN---<VNET1> ---PEERINGS--- <VNET2> ---S2S VPN--- <SG>

The goal of the propose design is to allow users from SG able to access the workloads on <VNET1> and <VNET2>. So, I'm trying to setup the S2S VPN between <SG> and <VNET2>. I got below error when I tried to create a VPN gateway on <VNET2>. Seems due to the <VNET2> have peering setup and using the remote network <VNET1> as a gateway.

Deployment failed

Deployment to resource group 'SG-RG' failed.

{

    "status": "Failed",

    "error": {

        "code": "ParentVnetAlreadyUsesRemoteGateways",

        "message": "Virtual network gateway can not be created since the virtual network /subscriptions/xxxxxx/resourceGroups/SG-RG/providers/Microsoft.Network/virtualNetworks/SG-VNET already uses remote gateways over peering /subscriptions/xxxxxx/resourceGroups/SG-RG/providers/Microsoft.Network/virtualNetworks/VNET2/virtualNetworkPeerings/VNET2_to_VNET1.",

        "details": []

    }

}

Does the above propose design works? And any recommendation?

azure-virtual-networkazure-vpn-gateway
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GitaraniSharmaMSFT-4262 avatar image
0 Votes"
GitaraniSharmaMSFT-4262 answered GitaraniSharmaMSFT-4262 commented

Hello @ZuperKC-5586 ,

Please find the answers to your queries below:

To setup the Azure network as you mentioned, do I need to add route table and network virtual appliance (NVA) to route traffic between Vnet1 and Vnet2?

No, it is not required to add route table and NVA to route traffic between Vnet1 and Vnet2 if you setup the network mentioned by me as below.
<HK> ---S2S VPN---<VNET1> ---S2S VPN--- <VNET2> ---S2S VPN--- <SG>
Since it will be a direct S2S connection, you have to create a VPN gateway in Vnet2 and then create and configure the local network gateways manually. The local network gateway for each VNet treats the other VNet as a local site. You can also specify additional address spaces for the local network gateway to route traffic.

Can I use the same virtual network gateway for SG-Vnet2 and Vnet1-Vnet2? Or I need to deploy an additional virtual network gateway on Vnet2 for the S2S VPN for Vnet1-Vnet2?

Yes, you can use the same VPN gateway for SG-Vnet2 and Vnet1-Vnet2 connections as you can only have 1 VPN gateway in 1 Vnet. However, you can have multiple connections on a VPN gateway depending upon it's SKU.

Is that possible to keep using peering but without gateway transit between Vnet1 and Vnet2 instead of S2S VPN and setup the static route and NVA on both Vnet1 and Vnet2?

Yes, it is possible to keep using Vnet peering without gateway transit between Vnet1 and Vnet2 and setup NVA & UDR for traffic routing. But this setup would be a bit complex and difficult to manage as you would need to add routing for both to and fro traffic.

Compare with the S2S VPN and Vnet peering, I understand the main difference is S2S VPN has encryption. From performance and cost perspective, which one will be better?

You can find the comparison between Vnet peering and VPN in the below docs for more clarity:
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/vnet-peering
https://azure.microsoft.com/en-in/blog/vnet-peering-and-vpn-gateways/

The most cost effective option would be to add a S2S connection from the Vnet1 (East Asia Vnet) to your SG site. I understand that this will add some latency (about 34ms), but you don't need to pay for 2 VPN gateways and also you can continue using the Vnet peering with "gateway transit" option enabled. You can choose the option that best suit your requirement.

Kindly let us know if the above helps or you need further assistance on this issue.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @GitaraniSharmaMSFT-4262,

<HK> ---S2S VPN---<VNET1> ---S2S VPN--- <VNET2> ---S2S VPN--- <SG>

Thanks for your useful information and I am managed to setup the Vnet-to-Vnet connection by using S2S as per your advice. Also, the S2S VPN is setup between SG and Vnet2. But I have some routing issue, the current situation is as below.

  • Endpoints from HK on-premises able to connect to VMs in Vnet1 but not able to reach VMs in Vnet2

  • Endpoints from SG on-premises able to connect to VMs in Vnet2 but not able to reach VMs in Vnet1

  • VMs in Vnet1 able to connect VMs in Vnet2 and vice versa

All the address spaces are not overlapped or duplicated. I checked the effective route from VMs in Vnet1 and Vnet2, the route for HK on-premises network and the route for SG on-premises network is not able to propagated to Vnet2 and Vnet1 respectively.

Anything I missed or configured incorrectly?

0 Votes 0 ·

Hello @ZuperKC-5586 ,

Apologies for the delay in response.

As I mentioned before, you need to create a S2S (IPSec) VPN connection between the 2 Vnets.
<VNET1> ---S2S VPN--- <VNET2>
Refer : https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal#site-to-site-ipsec

When you create a VNet-to-VNet connection, the local network gateway address space is automatically created and populated. The local network gateway is not visible in this configuration and you cannot add any additional address ranges.

Hence, I recommended to use a Site to Site VPN between the 2 Vnets. If you configure Site to Site VPN connection between the 2 Vnets, you have to create and configure the local network gateways manually on both Vnet sides and can specify additional address spaces for the local network gateway to route traffic.

Please update your setup as below:

  1. Remove the Vnet to Vnet connection.

  2. Create and configure the local network gateways manually on both Vnet sides and add the on-premises network address ranges for HK and SG in the local network gateways.

  3. Create Site to Site (IPSec) connection between the 2 Vnets.

Regards,
Gita

1 Vote 1 ·
ZuperKC-5586 avatar image ZuperKC-5586 GitaraniSharmaMSFT-4262 ·

Hi @GitaraniSharmaMSFT-4262,

Indeed I've connected the Vnet1 and Vnet2 by using S2S VPN. Local gateway is also be configured and now just having issue on the routing as I mentioned before. I'll review the configuration and do some test again. Do I need to enable the BGP on the virtual network gateway and local network gateway in order to populated the address space cross Vnet?

1 Vote 1 ·
Show more comments
ZuperKC-5586 avatar image ZuperKC-5586 GitaraniSharmaMSFT-4262 ·

Hi @GitaraniSharmaMSFT-4262,

The S2S VPN connection between Vnets and routings are all good now after adding the address space to the local network gateway. Appreciated for your help.

0 Votes 0 ·
Show more comments
ricardosolisvillegas-4678 avatar image
0 Votes"
ricardosolisvillegas-4678 answered ricardosolisvillegas-4678 commented

Hello @ZuperKC-5586

Welcome to Microsoft Q&A Platform.

Are you trying to set up something similar like the scenario below:

https://medium.com/awesome-azure/azure-virtual-network-vnet-peering-overview-introduction-a795517bd83b#:~:text=VNet%20Peering%20Types%201.%20Regional%20VNet%20Peering%3A%20Connecting,communicate%20with%20resources%20in%20a%20different%20virtual%20network.

BR,

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The link you post just describes or explains what the Vnet.

The situation is that I got error on creating VPN gateway from an existing Vnet as described on the top of the thread.
Whether my propose setup make sense and what did I do incorrectly?

0 Votes 0 ·
ricardosolisvillegas-4678 avatar image ricardosolisvillegas-4678 ricardosolisvillegas-4678 ·

Hi,

Do you have any update so far? Either my answer or @GitaraniSharmaMSFT-4262 helped please let us know.

BR,

0 Votes 0 ·
GitaraniSharmaMSFT-4262 avatar image
0 Votes"
GitaraniSharmaMSFT-4262 answered GitaraniSharmaMSFT-4262 commented

Hello @ZuperKC-5586 ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you have a Vnet1 located in East Asia and Vnet2 located in SouthEast Asia and they are peered together with "Gateway transit" option enabled and now you would like to create a VPN gateway in Vnet2 to connect to another on-premise location and it fails with the following error "Virtual network gateway can not be created since the virtual network SG-VNET already uses remote gateways over peering VNET2/virtualNetworkPeerings/VNET2_to_VNET1.".

Per design and as described in our official doc, each virtual network, including a peered virtual network, can have its own gateway. However, when you configure the gateway in the peered virtual network as a transit point to an on-premises network, the virtual network that is using a remote gateway can't have its own gateway. A virtual network has only one gateway. The gateway is either a local or remote gateway in the peered virtual network.

So, your proposed setup (<HK> ---S2S VPN---<VNET1> ---PEERINGS--- <VNET2> ---S2S VPN--- <SG>) is not possible to implement.

You would need to remove the "gateway transit" option to be able to create a VPN gateway in Vnet2.

Since you would like to make sure that both on-premise sites are able to access both the Vnets, you can go with site to site VPN between Vnet1 and Vnet2 as below:
<HK> ---S2S VPN---<VNET1> ---S2S VPN--- <VNET2> ---S2S VPN--- <SG>

Refer : https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal#site-to-site-ipsec

If you can enable BGP, it would be much easier to setup as this can enable transit routing with Azure VPN gateways between your on-premises sites or across multiple Azure Virtual Networks.
Refer : https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-bgp-overview#transitrouting

Kindly let us know if the above helps or you need further assistance on this issue.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @GitaraniSharmaMSFT-4262,

Appreciated for your comment and advices. I have few more questions below and see whether you can provide me some more comment.

  1. To setup the Azure network as you mentioned, do I need to add route table and network virtual appliance (NVA) to route traffic between Vnet1 and Vnet2?

  2. Can I use the same virtual network gateway for SG-Vnet2 and Vnet1-Vnet2? Or I need to deploy an additional virtual network gateway on Vnet2 for the S2S VPN for Vnet1-Vnet2?

  3. Is that possible to keep using peering but without gateway transit between Vnet1 and Vnet2 instead of S2S VPN and setup the statis route and NVA on both Vnet1 and Vnet2?

  4. Compare with the S2S VPN and Vnet peering, I understand the main difference is S2S VPN has encryption. From performance and cost perspective, which one will be better?

0 Votes 0 ·

Hello @ZuperKC-5586 ,

I have added the answers below in the answer section.

Regards,
Gita

0 Votes 0 ·