Vnet-to-Vnet Gateway Peer with On-Premise

Question

Greetings,

I am trying to get a clear answer to this.

-2 Regions, each has a VPN Gateway site-to-site to on-premises

-2 Vnets, 2 Regions connected using Vnet-to Vnet Peer (bidirectional, initiated on Site A)

Problem: Site B (has site-to-site with WestUS), cannot communicate with Azure VM in EastUS

Is this the best approach and should it be working? Or do I need a direct S-to-S connection between Site B and EastUS.

When I look at the local gateway of the EastUS VPN Gateway, I don't see any network updates other than the Site A on-premises networks I put in there?

Can network traffic from Site B (on-prem) be able to use WestUS as transient to get to EastUS? I thought that was the point of the GW VPN peer over the global vnet peer. Any thoughts? Any help would be greatly appreciated

See diagramGateway.png

Accepted Answer

@FunMum

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I see akinbade abiola has addressed your queries.

To enable Transit connectivity across VPN Gateways and sites, you must use BGP.
See : Support transit routing between your on-premises networks and multiple Azure VNets

We do not have a out of box solution for scenarios without BGP.

You can try the below solutions,

#1

Use a single VPN Gateway, connect this to both the OnPrem sites

And make the other VNET as Spoke and enable VPN gateway transit
Azure recommends the use of Hub multi Spoke model and you are currently using multi-Hub model (2 VPN Gateways)
- Many services are built with considering single Hub scenario

#2

Or use Static Routing. However,

This requires you to deploy Azure Firewall or a 3rd party NVA in both the VNETs
This requires you to manually configure the routing and also the Firewall/NVA to allow the traffic
This requires the OnPrem also sends a traffic selector that consists of both the VNET's address range.
This also requires that the 2 VNETs are peered using normal VNET Peering instead of VNET-2-VNET

For Naming convention, Say

VPN1 (VNET1) is connected to Site1
VPN2 (VNET2) is connected to Site2
VNET1 and VNET2 are connected via VNET Peering
VM1 is in VNET1 and VM2 is in VNET2

Now,

Deploy a Firewall or NVA in the in both the VNETs
- Call it Firewall1 and Firewall2
On all the subnets of the VNET1,
- Attach a route table with nextHopAddress as Site2 Address range and nextHop as Firewall2
- This will enable all traffic destined to Site2 from VNET1 to go to the Firewall2
- From Firewall2, Platform will take care of sending the traffic via VPN2 to Site2
Similarly, On all the subnets of the VNET2,
- Attach a route table with nextHopAddress as Site1 Address range and nextHop as Firewall1
- This will enable all traffic destined to Site1 from VNET2 to go to the Firewall1
- From Firewall1, Platform will take care of sending the traffic via VPN1 to Site1
You can find a similar architecture here (this talks about Spoke VNETs while we use VNET-2-VNET)

Hope this adds more clarity.

Additionally, also consider vWAN as they support Any-to-any Connectivity

Please let us know if we can be of any further assistance here.

Thanks,

Kapil

Please Accept an answer if correct.

Original posters help the community find answers faster by identifying the correct answer.

Answer

Traffic from Site B should be able to use WestUS as a transit to get to EastUS, if gateway transit is properly configured. You don't necessarily need a direct S2S connection between Site B and EastUS if you configure everything correctly.

Looks like route propagation isn't working as expected. This could be due to missing BGP configuration or gateway transit settings. also make sure to verify the peering, routing tables, and security rules.

See: https://zcusa.951200.xyz/en-us/azure/vpn-gateway/bgp-howto?source=recommendations

You can mark it 'Accept Answer' and 'Upvote' if this helped you

Regards,

Abiola

Share via

Vnet-to-Vnet Gateway Peer with On-Premise

1 additional answer

Your answer