VPN gateway and Express route gateway in two different VNETs

Ramakrishnan Venkataraman 46 Reputation points
2022-08-10T17:46:27.47+00:00

Dears,

I have following scenarios. I have express route (gateway type-Express Route) on a Hub-VNET establishes the connection with On-Prem. I have created another VNET exclusive for S2S VPN to establish the VPN connection with 3rd party vendors. Below block diagram shows how I wanted to make the flow working. Please see the below diagram.
Basically, I just wanted to route the traffic from spoke VNET to Hub VNET -- > Traffic should be screened by NVA ---> Then If its a 3party site traffic (typically on VNET will do the route look up) traffic should forward to 3part VNET (where we have VPN gateway)
So....
Question 1 what configuration I should configure during the peering on Hub VNET and 3party VNET, particular in
Question 2 Can we have gateway types Express route on one VNET and VPN as gateway type another VNET, in this scenario is recommended.
Question 3Do I need to say on 3rdpary VNET this as remote gateway, so that dynamic route update will populate to Hub VNET / its just a VNET peering saying none.

Your swift response is much appreciated.

230037-image.png

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,537 questions
Azure ExpressRoute
Azure ExpressRoute
An Azure service that provides private connections between Azure datacenters and infrastructure, either on premises or in a colocation environment.
377 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,782 questions
{count} votes

Accepted answer
  1. KapilAnanth-MSFT 45,451 Reputation points Microsoft Employee
    2022-10-10T09:06:33.723+00:00

    Hi @Ramakrishnan Venkataraman ,

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
    I understand that you are trying to build architecture as follows: Spoke-->Hub1-->Hub2-->OnPrem(3rd Party)

    I am posting a summary of the discussions for the wider community's reach.

    As suggested by @msrini-MSFT , the best way to go forward is to leverage Azure vWAN.
    https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-route-table-nva-portal
    We generally don't recommend multiple-Hub architectures.

    Other than vWAN, you can also consider VPN-ExpressRoute Gateway co-existence with a single Hub

    To address your queries,

    Question 1
    Question 3

    • A Vnet, if it has a Virtual Network Gateway, then we cannot create a peering with another Vnet that has a Virtual Network Gateway with "Use Remote Gateways" enabled.
    • "Use Remote Gateways" will be disabled.
    • So, you cannot configure the peering to route traffic from HubVnet to 3rdPartyVPNVnet from the platform level.

    Question 2

    • This is not recommended.
    • While one can make this work by adding manual routes, and deploying another NVA in 3rdPartyVPNVnet, it will be complex and difficult to manage

    I see you have an InfoSec requirement that you need to have these Vnets isolated.

    As stated, you cannot configure the platform(Peering) to make a VM route traffic to two Gateways.

    • The only way I can think of doing this is with the use of a Firewall/NVA in 3rdPartyVPNVnet
    • You can set up routing between this Firewall and your existing NVA to exchange traffic.
    • Ideally, this should work.

    You confirmed you were able to follow the above action plan and make this work using the use of a Firewall/NVA (Palo Alto firewall)

    Thanks,
    Kapil

    ----------------------------------------------------------------------------------------------------------------

    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. msrini-MSFT 9,281 Reputation points Microsoft Employee
    2022-08-11T06:50:04.577+00:00

    Hi,

    You can leverage Azure vWAN where you create ER gateway + VPN gateway on the hub and you connect your spoke to the HUB VNETs.

    You can use Route table to forward your traffic to the NVAs and then route traffic destined to On-Prem via ER and Vendors via VPN gateway. --> This can only be done if there are no overlapping of IPs between your vendor and On-Premises and advertise routes to the ER and VPN gateways respectively.

    Reference : https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-route-table-nva-portal

    Regards,
    Karthik Srinivas


  2. Ramakrishnan Venkataraman 46 Reputation points
    2022-10-06T10:45:00.777+00:00

    Update:
    Sorry for delayed reply. We have implemented VPN gateway on centralized VNET(hub vnet) eradicated another hub from the equation.
    To support our InfosSec requirement, all the the untrusted traffic(VPN traffic) ensure will pass on to the NVA(Paloalto firewall)
    After successful connection establishment with third party I can see the route table automatically encoded in the connectivity VNET route table(as a system route).
    However I am still working on initiating the live traffic with 3rd party, will keep you post with detailed analysis..

    Sorry again....
    Thanks again to all for your support.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.