question

QRBS avatar image
0 Votes"
QRBS asked RaviVarmanMSFT-5919 commented

VPN Site-to-site communication vs Virtual Network (we don't use Azure VPN getway)

Hello,

We want to set up high availability of our public IPs via Azure. Basically, we want to position at the Azure entry bridgehead an Firewall/ VPN VM (Pfsense / Palo Alto etc ..) and a web flow management VM (Kemp / Nginx etc ...) in order to distribute the flow to differents Datacenter.

We want to establish multiple site-to-site VPN connections directly to the VM Firewall. We have set up an azure configuration but from the different VPNs we cannot communicate with the Azure VMs behind the VPN.

We have created the Azure routes in order to redirect the flow from the second VM to the VPN, the ping works for a little while then it cuts off. Is there an Azure limitation for this scenario?

98751-azure.png


azure-virtual-network
azure.png (16.2 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @QRBS


Could you please provide an update on this post?


Kindly let us know if the below helps or you need further assistance on this issue.
----------------------------------------------------------------------------------------------------------------
Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

0 Votes 0 ·

1 Answer

RaviVarmanMSFT-5919 avatar image
0 Votes"
RaviVarmanMSFT-5919 answered

Hello @QRBS

Apologize for Delay in response.

  • So the setup is basically Multi site VPN connectivity with NVA i.e VPN VM (Pfsense / Palo Alto etc ).

  • It should work like any other Multi site VPN Transit connecivity works as its the site to site connectivity to the third party virtual appliance and its transit configuration. Configuration should be in place for Client to DC's and vice versa on NVA for transit routing based on the vendor you choose.

  • From Azure VM for the traffic to your Client/DC1/DC2 you should be having user defined routes associated to the subnet stating if traffic is destined to Client/DC1/DC2 then take next hop as Virtual appliance and provide the interface IP.

  • For the incoming traffic for the Azure VM's from Client/DC1/DC2 once it reaches the virtual appliance as its under the same virtual network with Azure default system routes you should be able to reach VM.

Hope this was helpful. Please let us know in case of any additional questions or concerns.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.