I have set up a new Azure environment that needs to be connected to multiple sites (multiple offices and Amazon AWS). One of those offices uses a Sophos UTM9 router which doesn't support route based Virtual Network Gateway on Azure. So for that site, only policy based VPN connectivity is possible which equals a Basic Virtual Network Gateway on Azure.
The other sites do support Route Based VPN connectivity.
So at the moment I have three VNETs:
VNET one with a Gateway Subnet - Basic VPN connected to our office
VNET two with a Gateway Subnet - Route based (VPN GW1) connected to our Amazon AWS environment - which I will later on also use to connect to other offices that support Route Based connectivity
VNET three with an application
I want to connect VNET three with VNET one and VNET two and have bidirectional traffic going so offices/sites connected to VNET one can access the application on VNET three and send traffic back also and so that offices/sites connected to VNET two can also access the same application on VNET three and send traffic back.
I don't see right now how I can achieve this.
Can someone confirms my thoughts here or tell me where I'm wrong and explain what options I have in the end?
This is what I think I have found so far:
VNET peering is only possible (with remote gateway / transit options) once between two VNETS - I cannot have VNET peering between VNET one and three and VNET two and three in that sense.
VNET-to-VNET connectivity is an issue because VNET one has a basic VPN Gateway which only allows one connection. I can also only have one Network Gateway defined within a VNET, where you can have only one Gateway Subnet so this prevents using VNET-to-VNET connectivity between the different VNETs in the end.
If I use VNET peering to connect VNET one and VNET three which works fine, then I cannot set up VNET-to-VNET connectivity between VNET two and VNET three because of the VNET peering that exists on VNET three.
So I'm not sure how I should be overcoming this in terms of architecture / connectivity. I don't really want to go create Virtual Machines to get this connectivity going properly which might be an alternative I think to get this kind of configuration to work.
One option could be to replace our office VPN router and instead of using Sophos UTM9 go for a VPN router that allows IKEv2 and thus allows route based connectivity to Azure.
Worked around it be creating a policy based VPN tunnel to Amazon AWS and using a transit gateway to connect through to Azure since this connection is for maintenance/support purposes. Latency is acceptable so far so I’ll stick to this solution for the time being. On Azure I’ve got VPN’s connected on a GWvpn1 type gateway.