Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,471 questions
Routing Issues with S2S VPN VNET Peered with ExpressRoute VNET
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 73%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER1%3C/text%3E%3C/svg%3E)
RahulRana-1085
10
Reputation points
The Context:
I have 3 VNETS (VNET1, VNET2, VNET3). VNET1 has a S2S VPN allowing on-prem devices to connect to Azure. VNET2 has an ExpressRoute allowing another subnet of on-prem devices to connect to Azure. VNET3 also has an ExpressRoute allowing another subnet of on-prem devices to connect to Azure.
VNET1 and VNET2 are currently peered so that infrastructure in VNET2 can talk to the on-prem devices connected via VNET1. Currently there exists an Azure Firewall (oldFirewall) with a * rule on VNET1 to allow on-prem devices in VNET1 access to public internet. VNET3 is not yet peered with VNET2 but that is expected soon.
The Desired Outcome:
I want to delete the oldFirewall and create a newFirewall in VNET2 so that all traffic from on-prem passes through the newFirewall first and then the infrastructure VMs, following a hub-and-spoke model.
The Problem:
I am having trouble with the Routing Tables. How should the routing be configured so that all on-prem traffic routes to the newFirewall first?
@GitaraniSharma-MSFT , I tried following some steps here: https://video2.skills-academy.com/en-us/answers/questions/860533/express-route-and-azure-firewall but I wasn't able to ping VNET1 on-prem devices from VNET2 VM after the routing change.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 98%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
KarishmaTiwari-MSFT 18,747 Reputation points Microsoft Employee2024-07-02T19:38:59.99+00:00 @RahulRana-1085 Thanks for posting your query on Microsoft Q&A.
Our team is looking into it and will get back as soon as possible. -
GitaraniSharma-MSFT 49,171 Reputation points Microsoft Employee2024-07-03T07:44:05.86+00:00 Hello @RahulRana-1085 ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.Looking at your setup, I would like to point out few things below:
VNET1(S2S VPN) and VNET2(ExpressRoute) are currently peered so that infrastructure in VNET2 can talk to the on-prem devices connected via VNET1.
The above is not possible. If you have ExpressRoute and site-to-site coexistence, transit routing isn't supported.
To enable transit routing between ExpressRoute and Azure VPN, you need to set up Azure Route Server. But the Azure VPN and ExpressRoute gateway must be deployed in the same virtual network as Route Server in order for BGP peering to be successfully established.
https://video2.skills-academy.com/en-us/azure/route-server/expressroute-vpn-support#how-does-it-work
The hub and spoke model define the below configuration:
- Hub virtual network. The hub virtual network hosts shared Azure services. Workloads hosted in the spoke virtual networks can use these services. The hub virtual network is the central point of connectivity for cross-premises networks.
- Spoke virtual networks. Spoke virtual networks isolate and manage workloads separately in each spoke. Each workload can include multiple tiers, with multiple subnets connected through Azure load balancers. Spokes can exist in different subscriptions and represent different environments, such as Production and Non-production.
But in your case, all 3 Vnets are hub Vnets.
It is recommended to connect all networks to the same ExpressRoute circuit by using any-to-any ExpressRoute connectivity model and linking all Vnets to the same ExpressRoute circuit.
Or use ExpressRoute and Site-to-Site coexisting connections in the same Vnet to connect to different on-premises sites as below:
So, first we need to re-align the existing setup and requirement to proceed further to Azure Firewall configuration.
Regards,
Gita
-
RahulRana-1085 10 Reputation points
2024-07-03T13:08:53.9333333+00:00 Thank you for your response @GitaraniSharma-MSFT !
Sorry I wasn't clear in what I meant by:
VNET1(S2S VPN) and VNET2(ExpressRoute) are currently peered so that infrastructure in VNET2 can talk to the on-prem devices connected via VNET1.
In VNET2, I have Azure VMs that allows me to manage/SSH into the on-prem devices. The S2S VPN in VNET1 is using one cellular provider and the ExpressRoute in VNET2 is using another. The on-prem devices cannot talk to each other.
Flow for S2S:
On-Prem Device --> Cellular Provider --> S2S VPN --> Azure VNET1 (and public internet)
Flow for VNET2 ExpressRoute:
On-Prem Device --> Cellular Provider --> ExpressRoute --> Azure VNET2 (using private peering)
Now since VNET1 and VNET2 are peered, I can do this:
Azure VM in VNET2 --> (ssh) --> On-Prem Device connected via S2S VPN
So in essence, regardless of the connectivity source, all traffic from on-prem devices should ideally pass through the Azure Firewall in VNET2 first before hitting any VM subnets or public internet.
-
GitaraniSharma-MSFT 49,171 Reputation points Microsoft Employee
2024-07-03T14:19:34.2566667+00:00 Hello @RahulRana-1085 ,
Now since VNET1 and VNET2 are peered, I can do this: Azure VM in VNET2 --> (ssh) --> On-Prem Device connected via S2S VPN
The above can only be done using gateway transit option, when only one of the peered Vnet has its own gateway.
You can configure the gateway in the peered virtual network as a transit point to an on-premises network. In this case, the virtual network that is using a remote gateway can't have its own gateway. A virtual network could have only one gateway, the gateway should be either local or remote gateway in the peered virtual network.
If both the Vnets have Virtual network gateways, then you cannot enable gateway transit option and cannot access on-premises networks connected to the peered Vnet. This is because of a virtual network peering limitation.
In your case Vnet1 and Vnet2 both have Virtual network gateways; hence the remote gateway/gateway transit option will not be available to configure in the Vnet peering and you cannot access on-premises resources from the peered Vnet.
If your setup is different from the above, please provide details on the gateways configured in the Vnets.
Regards,
Gita
Sign in to comment