Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,543 questions
Azure VPN Gateway Migration
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 13%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Josiah Sederquist
0
Reputation points
Hello,
I am trying to move our environment to a hub and spoke model. Currently our production vnet has its workloads and vpn gateway built into the same vnet. We have been looking into how we can create a new hub apart from our production vnet and then reconnecting everything to the hub via peering.
The diagram above shows things as they are now. The prod vnet and hub can exchange their immediate traffic in their vnet's but there is no utilization of each others gateways. The Dev Vnet is peered to and able to use the New hubs gateway to reach site 3. Site 3 is a site that is not attached to any production workloads in Azure and is there for testing connectivity.
Now I am trying to figure out the best way to cut over the old connections to the new hub. This document here said that a VNet cannot use more than one gateway: https://zcusa.951200.xyz/en-us/azure/virtual-network/virtual-network-peering-overview#gateways-and-on-premises-connectivity . As a result I have not tried to peer the Prod Vnet to the hub as I am afraid Prod will drop its connections to site 1 and site 2. Will I just need to schedule some downtime to rebuild the connections using the hub or is there a way to set things up ahead of time on the new hub and then reroute the the prod vnet away from the old vpn gateway?
Thanks ahead of time!
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 81%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
Sai Prasanna Sinde (Quadrant Resource LLC) 680 Reputation points Microsoft Vendor2024-10-09T16:31:21.1433333+00:00 Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
We are reaching out to the internal team to get more information related to your query and will get back to you as soon as we have an update.
Thank you for your patience.
Regards,
Sai Prasanna.
-
Sai Prasanna Sinde (Quadrant Resource LLC) 680 Reputation points Microsoft Vendor
2024-10-10T05:18:42.1566667+00:00 Thank you for your patience.
- You can set up the new hub Vnet with its VPN gateway, please make sure that it can handle the traffic between the hub and other spoke Vnets. Configuring this beforehand will minimize downtime during the cutover. Make sure that any necessary NSG's and UDR's are correctly set up to facilitate the desired traffic flow within the hub VNet and to any connected spokes, like your production VNet.
- You can create a peering connection between the production Vnet and the new hub Vnet. While a production Vnet cannot utilize multiple VPN gateways concurrently, making this connection will allow you to configure the route tables and make sure traffic can flow to the hub for all future connections without affecting existing connections immediately. During the peering setup, enable Gateway Transit for the hub's Vnet settings, allowing spokes to use the hub's VPN gateway for outbound connections.
- Before fully transitioning, conduct tests to validate connectivity through the hub to external sites using the hub's gateway. This will ensure that no operational impacts occur from the new configuration.
- After successfully validating that the hub can handle the traffic and there isn't any impact, proceed to cut over the production VNet’s exit routes. You should disconnect the existing connections from the old VPN gateway. Make sure there is no critical traffic relies on this gateway at the time of disconnection. Update the routing configurations in the production VNet to direct traffic through the new hub's gateway—this can usually be achieved with minimal downtime. After updating the routes, monitor the connectivity during this final migration phase to make sure everything flows as expected and schedule the cutover during off-peak hours to decrease the impact on your operations. Kindly let us know if the above helps or you need further assistance on this issue.
-
Sai Prasanna Sinde (Quadrant Resource LLC) 680 Reputation points Microsoft Vendor
2024-10-14T02:05:35.8066667+00:00 Greetings!
Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.
We are happy to help you.
Thanks,
Sai Prasanna.
-
Sai Prasanna Sinde (Quadrant Resource LLC) 680 Reputation points Microsoft Vendor
2024-10-15T06:00:58.66+00:00 Good day!
Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.
We are happy to assist you.
Thanks,
Sai Prasanna.
Sign in to comment
Sign in to answer