Forum Discussion
VPN to a 3rd party on-premise data centre via the 3rd party Azure Express Route connection?
Hi all,
I am looking for some advice and guidance please on the best way to proceed with a requirement we have to stand up a new VPN from our own Azure environment to a 3rd party on-premise datacentre. The ask is that we leverage the third parties pre-existing Express Route connectivity into their own Azure environment as opposed to standing the VPN up across the internet.
At a high level I am assuming some kind of VNET peering would be required between our Azure environment and that of the third party. I am also assuming that there would need to be some type of layer 3 routing appliance in the 3rd parties transit VNET to which we peer to provide onward routing across the third parties Express Route circuit into their on-premise data centre?
Is it possible to achieve this end to end VPN connectivity where the VPN traverses a third parties Azure environment/Express route circuits? I am assuming as long as we can establish end to end IP connectivity then the VPN should be able to establish?
I have attached a basic diagram which hopefully shows/clarifies what we are trying to achieve.
Thanks for taking the time to read through and I appreciate any feedback given.
3 Replies
You may interest on this:
Connect an on-premises network to Azure - Azure Architecture Center | Microsoft Learn
- If I remember correctly, this scenario will only work if Company B is using Azure Route server to translate routes from the S2S to the express route gateway.
https://learn.microsoft.com/en-us/azure/route-server/expressroute-vpn-support
It would be scenario 2Actually, thinking on it a bit further, there are quite a few questions here:
- Why is there both a VNet peering and a VPN between Company A and Company B?
- Why a new hub in Company B?
- Why is the VPN gw for Company A not in its existing hub?
- You don't need a router
What I think is possible, though I can't currently test it out, is to simply put a VPN gateway in the existing Hub for Company B and put on in the existing Hub for Company A. You can normally only have one network gateway in a VNet, but you can have both an Express Route gateway and a VPN gateway in the same VNet (both being in the same subnet).
If the VPN connection in the hub for Company B is configured with a Local Network Gateway and this contains the needed IP range from Company A's VNet, it should work out of the box. The routes should be propagated over the express route. If BGP is enabled on the Company B hub VPN Gateway, than you need to use the route server.
No VNet peering is needed between company A and B, not sure that would even work.
- For Company B, the peering between the new VNet and the HUB is not going to work. Since you can only create a peering that routes to a remote gateway if the vnet does not contain a gateway, there is no way to route VPN traffic into the express route (you can set a Route Table on a Gateway subnet, but but the express route gw will not honor them)
- For Company A it depends on the actual hub setup. If there is no VPN gw in that hub, you might make it work. But I don't see why you would not put the VPN gw in the existing hub
