question

DavidRamirezRodriguez-5792 avatar image
0 Votes"
DavidRamirezRodriguez-5792 asked SaiKishor-MSFT commented

ExpressRoute and VPN

Hello everyone, I need help with the following scenario:

We are implementing a hub and spoke vnet model, and I have the following requirements:

  1. Enable ExpressRoute between the local datacenter and the hub vnet.

  2. Enable security for the data in transit.

  3. Enable Backup connectivity in case the ExpressRoute is not available.

So far I know I can enable a site to site VPN over ExpressRoute, and I know I can enable a VPN over Internet as a backup for the ExpressRoute, but i´m not sure if I can enable both at the same time. Can this scenario be implemented?



azure-vpn-gatewayazure-expressroute
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

SaiKishor-MSFT avatar image
0 Votes"
SaiKishor-MSFT answered SaiKishor-MSFT commented

@DavidRamirezRodriguez-5792 Thank you for reaching out to Microsoft Q&A.

I understand that you are having questions regarding setting up S2S VPN over ER and S2S VPN over Internet both from the same on-premise as primary/backup solutions.

This is defintely possible to setup but you need BGP enabled on both the tunnels and you need to advertise the same networks on both of them. Please note that the S2S VPN over ER will always be preferred as it will have lower number of hops. Hope this helps.


Please let us know if you have any further questions and we will be glad to assist you further. Thank you!

Remember:

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Want a reminder to come back and check responses? Here is how to subscribe to a notification.


· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SaiKishor-MSFT thanks for the answer, it helps to know its possible.

I have one more question, for the VPN over the private peering, in MS docs says that I have to "Enable Private IPs on the gateway":

https://docs.microsoft.com/en-us/azure/vpn-gateway/site-to-site-vpn-private-peering#portal

I assume the VNG will be able to use both IP address a to terminate the VPNs from the CPE, the private IP will be the peer for the vpn over the ExpressRoute private peering, and the public IP will be the peer for the vpn over Internet. ¿Am I correct?

0 Votes 0 ·
SaiKishor-MSFT avatar image SaiKishor-MSFT DavidRamirezRodriguez-5792 ·

@DavidRamirezRodriguez-5792 Yes you are right. If/when you setup multiple tunnels to the same endpoint, you need multiple IP addresses for each of the tunnels, you cannot use the same IP for all tunnels. Therefore, when you create the VPN, for the VPN that goes over the internet, you will create a local gateway with the Public IP and for the VPN that goes over the ER, you will create a local gateway with the private IP. Hope this helps. Please let us know if you have further questions/concerns. Thank you!

0 Votes 0 ·

@SaiKishor-MSFT I meant from the customer side, in the cpe I have to use the public IP of the Azure VNG as the peer IP for the Internet VPN and the Azure VNG private IP as the peer IP for the ER private peering VPN ¿Am I right?

0 Votes 0 ·
Show more comments