Will there be asymmetric traffic if two tunnels have the same private address space defined or overlapped ?

$@chin 135 Reputation points
2024-11-07T18:41:45.9766667+00:00

Suppose I already have an S2S tunnel A on the vWAN with a private address space of 192.12.0.0/16, provided by the on-prem team, and a link IP address A. now need to create another S2S tunnel B on the same vWAN hub, with link IP address B. However, the private address space for tunnel B is 192.12.5.0/24, which falls within the address range of tunnel A (192.12.0.0/16).

Will this overlap cause any issues with tunnel communication to the Azure VMs or vice versa ? Is there a risk of asymmetric traffic ? Or can this be configured without any issues, assuming traffic from both on-prem locations can still communicate with Azure resources via the vWAN s2s tunnels ?

if not, how to achieve it instead of changing the private address space ?

Azure Virtual WAN
Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
236 questions
Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,610 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,591 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Sai Prasanna Sinde 3,010 Reputation points Microsoft Vendor
    2024-11-08T08:42:42.5+00:00

    Hi @$@chin,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    1. Will this overlap cause any issues with tunnel communication to the Azure VMs or vice-versa? Is there a risk of asymmetric traffic?
    • As the private address space for Tunnel B (192.12.5.0/24) falls within the address range of Tunnel A (192.12.0.0/16), all traffic will be directed to Tunnel B (192.12.5.0/24). This process occurs because (192.12.5.0/24) is a longer prefix than (192.12.0.0/16).
    • When outbound traffic is sent from a subnet, Azure selects a route based on the destination IP address, using the longest prefix match algorithm.
    • Please refer to the below document to understand how Azure selects a route: Reference: https://zcusa.951200.xyz/en-us/azure/virtual-network/virtual-networks-udr-overview#how-azure-selects-a-route
      1. How to achieve it instead of changing the private address space?
    • For time-being, we would recommend you configure NAT rules for your Virtual WAN VPN gateway.
    • A NAT rule provides a mechanism to set up one-to-one translation of IP addresses. NAT can be used to interconnect two IP networks that have incompatible or overlapping IP addresses
    • Please refer to this document to understand how to configure NAT rules for your Virtual WAN VPN gateway: https://zcusa.951200.xyz/en-us/azure/virtual-wan/nat-rules-vpn-gateway#rules
    • Please refer to this document to understand how to configure NAT rules for your Virtual WAN VPN gateway: https://zcusa.951200.xyz/en-us/azure/virtual-wan/nat-rules-vpn-gateway#rules

    Hope this clarifies!

    If above is unclear and/or you are unsure about something add a comment below.

    Please don’t forget to close the thread by clicking "Accept the answer" if the information provided helps you, as this can be beneficial to other community members.

    Regards,

    Sai Prasanna.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.