Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,529 questions
P2S VPN Cannot Connect To Peered Virtual Network Which Uses Another Virtual Networks Gateway
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 39%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
devopsfj
201
Reputation points
Is there anyway I can achieve the below without using a NVA in VNET 2 or putting the P2S VPN in VNET 1?
I need two methods of access to our Application Gateway, both private.
Users on Prem can currently access via the Express Route, however users using the P2S VPN are unable to do so due VNET 2 using the Remote Gateway of VNET 1. I have included the peering settings for info.
It is not only an Application Gateway in VNET 2 but I have only included this for simplicity.
{count} votes
-
Luca Lionetti 3,211 Reputation points2023-05-30T12:18:26.9566667+00:00 Hi @devopsfj
Welcome to Microsoft Q&A community forum!
You could configure the p2s in the same vnet as the express route, so as to have both types of users connect to vnet1 and then transit to vnet2
check this link for ref:
hope this helps
Cheers
Luca
-
devopsfj 201 Reputation points
2023-05-30T13:53:36.2966667+00:00 Hi!
Thanks for the response.
As per the question
Is there anyway I can achieve the below without using a NVA in VNET 2 or putting the P2S VPN in VNET 1?
I am looking to avoid doing this if possible, just due to the nature of the project we are looking for segregation.
Do you know if it is at all possible?
Thanks!
-
GitaraniSharma-MSFT 49,591 Reputation points Microsoft Employee2023-05-31T14:11:51.0533333+00:00 Hello @devopsfj ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that your P2S VPN clients are unable to connect to peered Vnet which uses another virtual network gateway as shown in the diagram and you would like to achieve the setup without using a NVA in VNET 2 or putting the P2S VPN in VNET 1.
The setup you are trying to achieve is not possible without any of the below:
- Move the P2S VPN to Vnet1, which you want to avoid.
- Deploy NVA in Vnet 2 - even this you want to avoid.
- Create a VPN gateway in Vnet1 and add a S2S VPN connection between Vnet1 and Vnet3 enabling BGP for transit routing and remove the Vnet peering between Vnet2 and Vnet3.
Refer: https://video2.skills-academy.com/en-us/azure/vpn-gateway/vpn-gateway-bgp-overview#transitrouting
- Create VPN gateways in Vnet1 and Vnet2 and then create S2S connections as below:
VPN gateway 1(Vnet1)<---S2S---> VPN gateway 2(Vnet2)<---S2S--->VPN gateway 3(Vnet3)
The local network gateway for each VNet treats the other VNet as a local site. When you configure Site to Site VPN connection between the 2 Vnets, you have to create Local Network Gateway on both the sides.
Only the above 4 options will help in achieving your requirement.
Regards,
Gita
-
devopsfj 201 Reputation points
2023-05-31T14:24:53.2333333+00:00 Thanks for the feedback @GitaraniSharma-MSFT
Would the following work?
Move the P2S VPN into VNET-02 and remove VNET-03 all together.
Then have a VNET TO VNET Connection from Express Route Gateway (VNET-01) <---> Virtual Network Gateway (VNET-02)?
Would this then allow access to the AppGw from On Prem AND P2S VPN?
-
GitaraniSharma-MSFT 49,591 Reputation points Microsoft Employee
2023-05-31T14:44:42.1433333+00:00 Hello @devopsfj ,
No, the above configuration will not work because you cannot create a Vnet-to-Vnet connection from an ExpressRoute type gateway to a VPN gateway. The gateway type should be VPN.
Even if you remove Vnet3 and deploy a P2S VPN gateway in Vnet2, you will have to deploy a VPN gateway in Vnet1 as co-existing scenario and then create a connection between the 2 VPN gateways.
The VNet-to-VNet connection doesn't include Point-to-Site client pool address space. If you need transitive routing for Point-to-Site clients, then create a Site-to-Site connection between the virtual network gateways.
Regards,
Gita
-
devopsfj 201 Reputation points
2023-05-31T14:49:29.17+00:00 Ah OK, we also have a another VPN Gateway in VNET-01 already, so we can leverage this (We have Express Route Gateway & VPN Gateway in VNET-01).
So the only way to get this working would be a S2S Connection between the VPN Gateway in VNET-01 and the VPN Gateway in VNET 02? Vnet TO Vnet would not work?
I am not sure it would matter in our case because we only need the P2S VPN to access VNET-02, we are not bothered about it accessing On Prem.
-
GitaraniSharma-MSFT 49,591 Reputation points Microsoft Employee
2023-05-31T15:14:10.65+00:00 Hello @devopsfj , if you already have an existing VPN gateway in Vnet1, then you can create a S2S connection between Vnet1 VPN gateway and Vnet2 VPN gateway.
Vnet-to-Vnet connection will not work because when you create a VNet-to-VNet connection, the local network gateway address space is automatically created and populated. The local network gateway isn't visible in this configuration, and you cannot add any additional address ranges. So, for the Application gateway and other resources in Vnet2, there won't be a return route to your on-prem site, and you cannot add the on-prem address range as well in the V2V connection.
If you create a S2S connection between both the gateways, then you can create and configure the local network gateways manually on both Vnet sides and can specify Vnet1 and on-prem address ranges on the Vnet2 local network gateway. This will make sure that your application gateway and other resources have a return route to your on-prem site.
Regards,
Gita
-
GitaraniSharma-MSFT 49,591 Reputation points Microsoft Employee
2023-06-13T10:13:56.62+00:00 @devopsfj , do you have any updates on this post? Kindly let us know if the above helps or you need further assistance on this issue.
-
GitaraniSharma-MSFT 49,591 Reputation points Microsoft Employee
2023-06-20T15:00:52.7+00:00 @devopsfj , could you please provide an update on this post?
-
devopsfj 201 Reputation points
2023-06-20T15:33:11.08+00:00 @GitaraniSharma-MSFT We are still stuck on this issue unfortunately, is there any other way I can get a connection a Virtual Network, like using a 3rd party VPN which gives us an address in our Vnet?
We do not want to use a JumpBox or Bastion.
-
GitaraniSharma-MSFT 49,591 Reputation points Microsoft Employee
2023-06-26T12:13:11.2466667+00:00 @devopsfj , apologies for the delay in response. Could you please clarify what you mean by "Is there any other way I can get a connection a Virtual Network, like using a 3rd party VPN which gives us an address in our Vnet?"
Initially you mentioned you don't want to deploy any NVA, so would request you to add some more details on your current requirement.
Regards,
Gita
Sign in to comment
Sign in to answer