Virtual Network Gateway

Question

Hi There,&nbsp;&nbsp;I wanted to setup a Express route gateway and VPN on my Virtual Network gateway. I have Hub and Spoke model, where I create one subnet "GatewaySubnet" on hub vnet, Can I able to create two Virtual gateway one for Express route and another for S2S VPN for 3rd Party partners / Supporting vendors / B2B and so on. Any reference link much appreciated.&nbsp;As far I understand, generally&nbsp; Virtual Network gateway would be use either one for On-prem connectivity or VPN as fall back. But in this scenario&nbsp;Express Route for ---&gt; On-prem Connectivity&nbsp;VPN for ---&gt; 3rd party S2S VPN.&nbsp;

chrisbradshaw · Answer

This page explains how to configure an ExpressRoute and S2S VPN alongside each other. Does that help?https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager

ramakrishnanv · Answer

ChrisBradshaw&nbsp;Thanks for your response.&nbsp;Basically we wanted to achieve as shown in below:With out forcing the traffic to PAFW I can successfully establish the tunnel. Spoke to Spoke communication also working as expected. But I wanted force the traffic PA first then pass on to VPNGW in order to establish the tunnel. Similarly from outbound after VPN lands on VPNGW it should be pass thru PAFW.&nbsp;&nbsp;&nbsp;

chrisbradshaw · Answer

ramakrishnanv&nbsp;Have you implemented any User-defined routes here? I would suggest that your spoke subnets might need a default route where the next hop is the Virtual Appliance address of the firewall. The firewall in turn would then have a next hop of the VPN connection:Some details on User Defined Routes here: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview

ramakrishnanv · Answer

Yes Chris,Placed the UDR with default route done at the spoke. Found the issue. there should be another route in the NVA(PAFW) has to be in place which pointing to Gatewaysubnet default gateway IP(in our case 10.0.0.1 &lt; subnet 1st ip&gt;) , so that traffic would be pick up by VPN gateway in order to encrypt and send them over to internet. Thanks for your response.

Forum Discussion

Virtual Network Gateway