Routing issue for branches in Azure VWAN

NSimpraga 161 Reputation points
2022-05-26T09:39:44.413+00:00

Greetings,

I am building a proof of concept architecture using Azure VWAN and having issues routing internal private traffic between branches.
For sake of simplicity I will include only the parts of the infrastructure that are relevant to the problem.

The infra consists of:

  1. Azure VWAN instance
  2. One Virtual Hub inside the VWAN (customer-vhub) with an S2S VPN Gateway
  3. First internal virtual network (internal-vnet) containing one VM (internal-vnet VM)
  4. Second virtual network (customer-site-vnet) containing one VM (customer-site VM) and a Virtual Network Gateway (customer-site GW)
  5. Virtual Network Connection between the customer-vhub and the internal-vnet
  6. Site to Site connection between the customer-vhub and the customer-site-vnet
  7. Local Network Gateway which represents the VPN GW of the Virtual Hub (this is needed since you cannot directly S2S connect a regulat VNET Gateway and a Virtual Hub Gateway with an S2S connection)

Diagram of architecture:
205813-image.png

I realise the connection between the customer-site-vnet and the customer-vhub could've been done with a Virtual Network Connection, but since this is a Proof of Concept & testing architecture, I wanted to mimick a setup where the connection to a customer would be an actual S2S connection.

The S2S connection is successful and says 'connected'. I also set up BGP so the routes get propagated across the network.

The problem: the internal-vnet VM is not reachable from the customer-site VM.

How I've tested: I've assigned the customer-site VM a public IP and SSH-ed into it and try SSH-ing into the private IP of the internal-vnet VM, but to no avail.
What I've tried:

  • whitelisting outbound traffic in the NSG of the customer-site VM
  • manually adding some routes to the VM
  • checked Network Watcher for connection between the two VMs, issue that turns up is 'no route'

All in all it seems that the networks, while successfully connected, are not propagating proper routes for the traffic to take between the branches.

What part of the setup am I missing or did incorrectly?
Thanks in advance!

Azure Virtual WAN
Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
182 questions
Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,347 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,089 questions
0 comments No comments
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 46,261 Reputation points Microsoft Employee
    2022-05-26T13:13:14.273+00:00

    Hello @NSimpraga ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand you are building a proof of concept architecture using Azure VWAN. You have a VWAN hub connected to a Virtual network and then you have created a site to site VPN connection between the Virtual WAN and another Vnet using VPN gateway but you are having issues routing internal private traffic between the branch and VWAN connected Vnet.

    From your diagram, I see there is only one local network gateway.

    Below are the steps to connect a VPN Gateway (virtual network gateway) to a Virtual WAN:

    • Create a Virtual WAN.
    • Create a virtual hub containing the Virtual WAN VPN gateway.
    • Connect the internal-vnet to the Virtual WAN hub using "Virtual network connections" option.
      NOTE: when connecting a Virtual Network to a Virtual WAN hub, make sure that the option "Propagate to none" is set to No.
    • Then go to the customer-site-vnet and create a VPN Gateway (virtual network gateway) in active-active mode with BGP enabled for your virtual network.
    • Then create two Virtual WAN VPN sites that correspond to the virtual network gateways you created in the previous step.
    • Download the VPN configuration file for each of the sites that you created in the VWAN.
    • Then create two Azure VPN local network gateways using the configuration files downloaded from the previous step.
    • Create 2 connections between the VPN Gateway local network gateways and virtual network gateway. On the Configuration page, for BGP, select Enabled.
    • Then you can test connectivity between the two virtual machines (one on the side of the VPN Gateway/virtual network gateway, and one in a virtual network for the Virtual WAN) and you should be able to ping one VM from the other, unless there are any firewalls or other policies blocking the communication.

    Refer : https://learn.microsoft.com/en-us/azure/virtual-wan/connect-virtual-network-gateway-vwan
    https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-site-to-site-portal#hub
    https://learn.microsoft.com/en-us/azure/virtual-wan/howto-connect-vnet-hub

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


0 additional answers

Sort by: Most helpful