question

CharlieBrown-6402 avatar image
0 Votes"
CharlieBrown-6402 asked AndreasBaumgarten answered

VPN Issue and Question

I have a VPN connection going to a HUB VNET and I need to add another vpn connection to the HUB. The problem is this second connection ip range conflicts with HUB IP range. Is there a way to NAT or anyway to get this second environment connected to this gateway.

azure-vpn-gateway
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndreasBaumgarten avatar image
0 Votes"
AndreasBaumgarten answered

Hi @CharlieBrown-6402 ,

overlapping IP address spaces, it doesn't matter if on-premises or in Azure, are a killer for the Azure VPN Gateway Site-To-Site Connection.

There is no way around to get rid of the overlapping IP address spaces in Azure. And as this is an overlapping on vendor site it has to be resolved at the vendor.


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndreasBaumgarten avatar image
0 Votes"
AndreasBaumgarten answered

Hi @CharlieBrown-6402 ,

There is no NAT component involved in a Site-To-Site Azure VPN Gateway connection.
If you connect your local network via VPN Gateway Site To Site connection it is almost like you connect 2 networks via a router. If both networks using the same subnet IP range routing isn't possible.

Please refer:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#can-there-be-overlapping-address-spaces-among-connected-virtual-networks-and-on-premises-local-sites


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CharlieBrown-6402 avatar image
0 Votes"
CharlieBrown-6402 answered

On the second site a vendor has a set range of IPS that they can route to 10.93.x.x/24 but on the Azure Site we are the range of 172.168.x.x/24 which has a VPN gateway. Would it be possible for me to create a new VNET with 10.93.x.x/24 and create another gateway for a vpn to connect and then peer this new vnet to other 172 vnet? I don't believe i can have 2 vpn gateway on a vnet and peer, but i wanted to confirm.

or it there another way to get these to vnet peered with having a VPN connected to each? maybe vnet to vnet connection?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndreasBaumgarten avatar image
0 Votes"
AndreasBaumgarten answered AndreasBaumgarten edited

Hi @CharlieBrown-6402 ,

just to get a better picture of your environment:
Your Azure Virtual Network is which IP address space?
Your subnets in the Virtual Network are which IP address spaces?
Your first on-premises network is which IP address space (one or more network address spaces)?
Your second on-premises network is which IP address space (one or more network address spaces)??

Based on your answer (10.93.x.x/24 and 172.168.x.x/24) I don't see a IP ip range conflict you mentioned in your question.
To find an answer is to know all private IP address spaces used in your environments.

Basically the VPN Gateway and the SiteToSite connections are "working as a router". Most important: There must be no overlapping of all the network address spaces (on-premises and Azure).


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CharlieBrown-6402 avatar image
0 Votes"
CharlieBrown-6402 answered

The vendor only wants to route to address space 10.93.172.0/24 in our Azure environment which will also require a Gateway subnet in this range for the S2S connection from them . For this to happen, I will need to create a new Vnet for that network. Currently in Azure i have a ip scope of 172.20.8.0/24 which has a VPN gateway subnet of 172.20.8.0/26. and is peered to 172.20.4.x - So I will have 2 S2S connection going to two separate vnet but I also need to have these networks peered also.

I believe to have this new subnet and peer it to existing network the 10.93.x.x will need to be the gateway and the 172.20.4.x will need to be remote gateway. But the problem is that i already have the 172,4,x,x as a remote to the HUB 172.20.4.x - see example attachment




[1]: /answers/storage/attachments/88855-2021-04-18-17-52-39.png


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndreasBaumgarten avatar image
0 Votes"
AndreasBaumgarten answered

Hi @CharlieBrown-6402 ,

you don't need to create another vNetwork to get this done. A Azure VPN Gateway supports multi-site Site To Site connecttions:
https://docs.microsoft.com/en-us/azure/vpn-gateway/design#Multi

You need to create a new Connection in you existing Azure VPN Gateway and a new Local Network Gateway
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-multi-site-to-site-resource-manager-portal

The Local Network Gateway is responsible to route the network traffic between the 172.20.8.0/24 and the 10.93.172.0/24


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CharlieBrown-6402 avatar image
0 Votes"
CharlieBrown-6402 answered

I think, I was explaining it wrong

The Vendor network already has routes in place for 172.20.5.x and 172.20.8.x to another customer so we will have lapping ips. Currently in todays setup we are using NAT at the FW to change ips so we can communicate with this vendor.


I was hoping to find a way to have S2S knowing that each side has overlapping ip ranges.

I think, The only way i can see around this is find a range in the 172.20.x.x /22 network that the vendor has available.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.