S2S from Azure VPN GW through ExpressRoute to on-prem

Haytham 26 Reputation points
2021-09-28T08:47:03.18+00:00

Hello,

Our on-prem is connected using ExpressRoute to our hub VNet in Azure.
A partner organization (call them CorpA) has a remote site that is connecting to our on-prem site through MPLS.

This partner has only one VNet in Azure, and we have VNet peering between their VNet and our Hub VNet. Can this partner deploy an Azure VPN GW in their VNet, and establish a VPN tunnel to their site? and if yes, what SKUs of VPNGW will allow this? high availability is preferred.

The connection will be as follows, S2S VPN to be built between VPNGW in CorpA VNet to Corp A Router:
CorpA VNet (VPNGW) ---VNet Peering--- our VNet ---ER--- our on-prem Router ---MPLS--- CorpA Router

The reason for this is because they are not allowed to have internet connection to their Router, and they want to connect to their Azure VNet while encrypting their traffic. They may get their own ER in the future, but we want to check if it can be done like explained above.

Best regards,
HZ

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,389 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,165 questions
Azure ExpressRoute
Azure ExpressRoute
An Azure service that provides private connections between Azure datacenters and infrastructure, either on premises or in a colocation environment.
323 questions
0 comments
Accepted answer
  1. GitaraniSharma-MSFT 47,676 Reputation points Microsoft Employee
    2021-09-28T15:14:03.73+00:00

    Hello @Haytham ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    Yes, your partner organization can deploy an Azure VPN gateway in their Vnet to establish a VPN tunnel to their on-premises site and choosing the SKU of the VPN gateway completely depends on the partner's throughput requirement. If you prefer high availability, then deploying an active-active VPN gateway could help (In case you go with active-active VPN gateway, the SKU can't be Basic or Standard).

    However, you need to consider the below points for this setup to work:
    As you mentioned, the partner's Vnet is peered with your Hub Vnet, what is the Vnet peering configuration here? Do you have the gateway transit feature enabled? Is their side of Vnet peering using the remote gateway (which in this case is your ExpressRoute gateway)? If the answer to above question is Yes, then the partner will not be able to deploy a VPN gateway in their Vnet.

    Each virtual network, including a peered virtual network, can have its own gateway. But, when you configure the gateway in the peered virtual network as a transit point to an on-premises network, the virtual network that is using a remote gateway can't have its own gateway. In such a case, the virtual network can have only one gateway - this gateway is either a local or remote gateway in the peered virtual network.
    Please refer : https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview#gateways-and-on-premises-connectivity

    To summarize, the partner will be able to deploy a VPN gateway in their Vnet if their Vnet has a normal Vnet peering setup with your Hub Vnet (where gateway transit & remote gateway configuration is not enabled).

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest