Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,543 questions
Site-to-Site VPN connection over ExpressRoute private peering not valid
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 64%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
Dean
0
Reputation points
Hello,
It seems this article is either outdated or wrong with what it is currently proposing - the requirements most likely need to change.
We have the same issue as described here, we have full control of the firewall from on-prem and can manipulate the routes as needed.
Our setup
ExpressRoute circuit with private peering - working
ER VPN GateWay and VNET linked with ER connection
VPN GateWay with private IP's enabled
Connection(IPSEC) with private IP's enabled
The IPSEC connection is established but traffic from Azure to on-prem does not prefer it.
Azure needs to send on-prem the routes. This isn’t an on prem to Azure issue, the firewall can manipulate the routes anyway we need to. But if we receive the /16 over the tunnel, the underlay (ER) will drop because that’s how the firewall gets to its IPSec peer IP, by means of the /16 route we get on the ER.
We can’t have the same /16 coming over the underlay and IPSec overlay
Need something more specific for the overlay IPsec subnets
Are we missing something here? It feels like our only other options are:
- Using ExpressRoute without IPSEC(can't do this as it's a requirement)
- NVA - will need to look into this
- Azure VirtualWAN (not viable right now) - can we use AS-PATH prepending with virtual WAN?
Not sure where to go from here but as it stands site-to-site over ExpressRoute and how the configuration is laid out in that article won't work with native Azure resources.
Do you maybe have an example setup that's working with only configuring the wider /16 path over ER and more specific path /24 over VPN on-prem side? If that could be shared then we could do a comparison.
Thanks
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 71%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)
Ganesh Patapati 735 Reputation points Microsoft Vendor2024-10-18T14:37:52.6666667+00:00 Hi Dean,
Greetings,
Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
- We are checking with our internal team regarding your issue and will get back to you as soon as possible with an update. Thank you for your patience and understanding.
Regards,
Ganesh
Sign in to comment
Sign in to answer