Route on-prem traffic through an Azure NVA to a VPN Gateway in different vNET

Laurent van Mastrigt 20 Reputation points
2024-07-03T09:30:19.46+00:00

Hello, I have a question about routing through a NVA and a VPN Gateway. Our Azure environment is as follows:

  • An NVA (Meraki) which has setup an IPsec VPN with a Meraki in a datacenter.
  • Traffic from the datacenter must be routed to the NVA, which is in vNET1, through a VPN Gateway that is in vNET 2.
  • There is vNET peering in place.
  • The VPN Gateway has a Connection with another environment where the traffic from the datacenter must arrive.

My questions are:

  • Is this even possible?
  • If so, what is required in order to setup this?

Attached a representation of the situation. The red line is what I would like to achieve.

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,436 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. UJTyagi-MSFT 230 Reputation points Microsoft Employee
    2024-07-04T09:56:40.8733333+00:00

    Hi Laurent van Mastrigt ,

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    Thank you for posting the topology.

    This is my understanding regarding your setup, kindly advise if you see any correction.

    • You have 2 different vnets vNet1 and vNet2 which are peered together
    • vNet1 has a Meraki NVA which is forming S2S VPN connection with your on-prem Datacenter Meraki device.
    • vNet2 has an Azure Virtual Network gateway which is forming S2S VPN connection with your on-prem Datacenter.
    • So, from Datacenter perspective you have 2 ways to reach vNet1.
    1. Via S2S tunnel from Meraki device in Datacenter to Meraki NVA in vNet1(Direct reachability)
    2. Via S2S tunnel from Datacenter (device detail unknown) to Virtual Network Gateway in vNet2 then via VNet peering from Vnet2 to Vnet1.

    Kindly note the requirement is possible to implement However, there are many important details which need clarification -

    • Kindly advise the objective of this setup. Are you trying to achieve the High availability scenarios from vNet1 and vNet2 perspective to your datacenters?
    • Kindly specify if you are running dynamic routing protocol with BGP over the S2S connections to vNet1 and vNet2.
    • Kindly specify if you are using use remote-gateway configuration on vNet1 under its peering configuration with vNet2 to use Azure Virtual Network Gateway in vNet2 to reach On-prem Datacenter.
    • Kindly specify if Azure virtual Network Gateway tunnel is also getting terminated on the same Meraki device on datacenter or if there are 2 different devices to terminate the 2 different sites to site tunnels. Also, if you are using 2 different devices for tunnel termination on Onperm, Are you running any dynamic protocol between them like BGP. Kindly explain the routing Onprem side as well.
    • You mentioned that for any outbound traffic from Datacenter to vNet1 you wish to use the tunnel to Azure Virtual Network Gateway in vNet2 but you did not specify if your return traffic from vNet1 to On-prem datacenter has to also follow the same path via Azure Virtual Network Gateway?
    • Are you using any Firewalls in transit?
    • Are you using any UDR configuration on either vNet1 or vNet2 to influence the routing behavior?

    Kindly share the above details to further assist you with your requirement.

    Regards

    Ujjawal Tyagi

    0 comments