Rediger

Del via


Configure VPN gateway transit for virtual network peering

This article helps you configure gateway transit for virtual network peering. Virtual network peering seamlessly connects two Azure virtual networks, merging the two virtual networks into one for connectivity purposes. Gateway transit is a peering property that lets one virtual network use the VPN gateway in the peered virtual network for cross-premises or VNet-to-VNet connectivity.

The following diagram shows how gateway transit works with virtual network peering. In the diagram, gateway transit allows the peered virtual networks to use the Azure VPN gateway in Hub-RM. Connectivity available on the VPN gateway, including S2S, P2S, and VNet-to-VNet connections, applies to all three virtual networks.

Diagram of Gateway transit.

The transit option can be used with all VPN Gateway SKUs except the Basic SKU.

In hub-and-spoke network architecture, gateway transit allows spoke virtual networks to share the VPN gateway in the hub, instead of deploying VPN gateways in every spoke virtual network. Routes to the gateway-connected virtual networks or on-premises networks propagate to the routing tables for the peered virtual networks using gateway transit.

You can disable the automatic route propagation from the VPN gateway. Create a routing table with the "Disable BGP route propagation" option, and associate the routing table to the subnets to prevent the route distribution to those subnets. For more information, see Virtual network routing table.

Note

If you make a change to the topology of your network and have Windows VPN clients, the VPN client package for Windows clients must be downloaded and installed again in order for the changes to be applied to the client.

Prerequisites

This article requires the following VNets and permissions.

Virtual networks

VNet Configuration steps Virtual network gateway
Hub-RM Resource Manager Yes
Spoke-RM Resource Manager No

Permissions

The accounts you use to create a virtual network peering must have the necessary roles or permissions. In the example below, if you were peering the two virtual networks named Hub-RM and Spoke-Classic, your account must have the following roles or permissions for each virtual network:

VNet Deployment model Role Permissions
Hub-RM Resource Manager Network Contributor Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write
Spoke-RM Resource Manager Network Contributor Microsoft.Network/virtualNetworks/peer

Learn more about built-in roles and assigning specific permissions to custom roles (Resource Manager only).

To add a peering and enable transit

  1. In the Azure portal, create or update the virtual network peering from the Hub-RM. Go to the Hub-RM virtual network. Select Peerings, then + Add to open Add peering.

  2. On the Add peering page, configure the values for Remote virtual network summary.

    • Peering link name: Name the link. Example: SpokeRMToHubRM
    • Virtual network deployment model: Resource Manager
    • I know my resource ID: Leave blank. You only need to select this if you don't have read access to the virtual network or subscription you want to peer with.
    • Subscription: Select the subscription.
    • Virtual Network: Spoke-RM
  3. On the Add peering page, configure the values for Remote virtual network peering settings.

    • Allow 'Spoke-RM' to access 'Hub-RM': Leave the default of selected.
    • Allow 'Spoke-RM' to receive forwarded traffic from 'Hub-RM': Select the checkbox.
    • Allow gateway or route server in the peered virtual network to forward traffic to 'Hub-RM': Leave the default of un-selected.
    • Enable 'SpokeRM' to use 'Hub-RM's' remote gateway or route server: Select the checkbox.

    Screenshot shows add peering.

  4. On the Add peering page, configure the values for Local virtual network summary.

    • Peering link name: Name the link. Example: HubRMToSpokeRM
  5. On the Add peering page, configure the values for Local virtual network peering settings.

    • Allow 'Hub-RM' to access the peered virtual network: Leave the default of selected.
    • Allow 'Hub-RM' to receive forwarded traffic from the peered virtual network: Select the checkbox.
    • Allow gateway or route server in 'Hub-RM' to forward traffic to the peered virtual network: Select the checkbox.
    • Enable 'Hub-RM' to use the peered virtual network's remote gateway or route server: Leave the default of un-selected.

    Screenshot shows values for remote virtual network.

  6. Select Add to create the peering.

  7. Verify the peering status as Connected on both virtual networks.

To modify an existing peering for transit

If you have an already existing peering, you can modify the peering for transit.

  1. Go to the virtual network. Select Peerings and select the peering that you want to modify. For example, on the Spoke-RM VNet, select the SpokeRMtoHubRM peering.

  2. Update the VNet peering.

    Enable 'Spoke-RM' to use 'Hub-RM's' remote gateway or route server: Select the checkbox.

  3. Save the peering settings.

PowerShell sample

You can also use PowerShell to create or update the peering. Replace the variables with the names of your virtual networks and resource groups.

$SpokeRG = "SpokeRG1"
$SpokeRM = "Spoke-RM"
$HubRG   = "HubRG1"
$HubRM   = "Hub-RM"

$spokermvnet = Get-AzVirtualNetwork -Name $SpokeRM -ResourceGroup $SpokeRG
$hubrmvnet   = Get-AzVirtualNetwork -Name $HubRM -ResourceGroup $HubRG

Add-AzVirtualNetworkPeering `
  -Name SpokeRMtoHubRM `
  -VirtualNetwork $spokermvnet `
  -RemoteVirtualNetworkId $hubrmvnet.Id `
  -UseRemoteGateways

Add-AzVirtualNetworkPeering `
  -Name HubRMToSpokeRM `
  -VirtualNetwork $hubrmvnet `
  -RemoteVirtualNetworkId $spokermvnet.Id `
  -AllowGatewayTransit

Next steps