NSimpraga-7653 avatar image
0 Votes"
NSimpraga-7653 asked NSimpraga-7653 commented

Routing issue for branches in Azure VWAN


I am building a proof of concept architecture using Azure VWAN and having issues routing internal private traffic between branches.
For sake of simplicity I will include only the parts of the infrastructure that are relevant to the problem.

The infra consists of:
1. Azure VWAN instance
2. One Virtual Hub inside the VWAN (customer-vhub) with an S2S VPN Gateway
3. First internal virtual network (internal-vnet) containing one VM (internal-vnet VM)
4. Second virtual network (customer-site-vnet) containing one VM (customer-site VM) and a Virtual Network Gateway (customer-site GW)
5. Virtual Network Connection between the customer-vhub and the internal-vnet
6. Site to Site connection between the customer-vhub and the customer-site-vnet
7. Local Network Gateway which represents the VPN GW of the Virtual Hub (this is needed since you cannot directly S2S connect a regulat VNET Gateway and a Virtual Hub Gateway with an S2S connection)

Diagram of architecture:

I realise the connection between the customer-site-vnet and the customer-vhub could've been done with a Virtual Network Connection, but since this is a Proof of Concept & testing architecture, I wanted to mimick a setup where the connection to a customer would be an actual S2S connection.

The S2S connection is successful and says 'connected'. I also set up BGP so the routes get propagated across the network.

The problem: the internal-vnet VM is not reachable from the customer-site VM.

How I've tested: I've assigned the customer-site VM a public IP and SSH-ed into it and try SSH-ing into the private IP of the internal-vnet VM, but to no avail.
What I've tried:
- whitelisting outbound traffic in the NSG of the customer-site VM
- manually adding some routes to the VM
- checked Network Watcher for connection between the two VMs, issue that turns up is 'no route'

All in all it seems that the networks, while successfully connected, are not propagating proper routes for the traffic to take between the branches.

What part of the setup am I missing or did incorrectly?
Thanks in advance!

image.png (49.0 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

GitaraniSharmaMSFT-4262 avatar image
0 Votes"
GitaraniSharmaMSFT-4262 answered NSimpraga-7653 commented

Hello @NSimpraga-7653 ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand you are building a proof of concept architecture using Azure VWAN. You have a VWAN hub connected to a Virtual network and then you have created a site to site VPN connection between the Virtual WAN and another Vnet using VPN gateway but you are having issues routing internal private traffic between the branch and VWAN connected Vnet.

From your diagram, I see there is only one local network gateway.

Below are the steps to connect a VPN Gateway (virtual network gateway) to a Virtual WAN:

  • Create a Virtual WAN.

  • Create a virtual hub containing the Virtual WAN VPN gateway.

  • Connect the internal-vnet to the Virtual WAN hub using "Virtual network connections" option.
    NOTE: when connecting a Virtual Network to a Virtual WAN hub, make sure that the option "Propagate to none" is set to No.

  • Then go to the customer-site-vnet and create a VPN Gateway (virtual network gateway) in active-active mode with BGP enabled for your virtual network.

  • Then create two Virtual WAN VPN sites that correspond to the virtual network gateways you created in the previous step.

  • Download the VPN configuration file for each of the sites that you created in the VWAN.

  • Then create two Azure VPN local network gateways using the configuration files downloaded from the previous step.

  • Create 2 connections between the VPN Gateway local network gateways and virtual network gateway. On the Configuration page, for BGP, select Enabled.

  • Then you can test connectivity between the two virtual machines (one on the side of the VPN Gateway/virtual network gateway, and one in a virtual network for the Virtual WAN) and you should be able to ping one VM from the other, unless there are any firewalls or other policies blocking the communication.

Refer :

Kindly let us know if the above helps or you need further assistance on this issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you @GitaraniSharmaMSFT-4262 ! Following your steps, it started working as intended.

What I did differently was not creating an active-active VPN GW on the customer-site-vnet, and haven't connected both public IP endpoints of the VPN GW of the VWAN Virtual Hub, but just one.
I thought that the double endpoints were just for failover & reliability, can you confirm this active-active mode is really necessary for the setup to work as intended?

Thank you again, you helped a lot!

1 Vote 1 ·

Hello @NSimpraga-7653 ,

Thank you for the update. Glad to hear that it started working.

According to the doc, it says active-active is required and BGP is optional.
Refer :

I will discuss about this requirement with the backend team and get back to you with further updates, if any.


0 Votes 0 ·
NSimpraga-7653 avatar image NSimpraga-7653 GitaraniSharmaMSFT-4262 ·

No worries, I guess I just had to read the docs better! Thank you again!

1 Vote 1 ·