Home

Connecting a VNET with multiple VPN Gateways (one basic VPN GW and one VPN GW1)

%3CLINGO-SUB%20id%3D%22lingo-sub-783855%22%20slang%3D%22en-US%22%3EConnecting%20a%20VNET%20with%20multiple%20VPN%20Gateways%20(one%20basic%20VPN%20GW%20and%20one%20VPN%20GW1)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-783855%22%20slang%3D%22en-US%22%3E%3CP%3EDears%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20set%20up%20a%20new%20Azure%20environment%20that%20needs%20to%20be%20connected%20to%20multiple%20sites%20(multiple%20offices%20and%20Amazon%20AWS).%20One%20of%20those%20offices%20uses%20a%20Sophos%20UTM9%20router%20which%20doesn't%20support%20route%20based%20Virtual%20Network%20Gateway%20on%20Azure.%20So%20for%20that%20site%2C%20only%20policy%20based%20VPN%20connectivity%20is%20possible%20which%20equals%20a%20Basic%20Virtual%20Network%20Gateway%20on%20Azure.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20other%20sites%20do%20support%20Route%20Based%20VPN%20connectivity.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20at%20the%20moment%20I%20have%20three%20VNETs%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EVNET%20one%20with%20a%20Gateway%20Subnet%20-%20Basic%20VPN%20connected%20to%20our%20office%3C%2FP%3E%3CP%3EVNET%20two%20with%20a%20Gateway%20Subnet%20-%20Route%20based%20(VPN%20GW1)%20connected%20to%20our%20Amazon%20AWS%20environment%20-%20which%20I%20will%20later%20on%20also%20use%20to%20connect%20to%20other%20offices%20that%20support%20Route%20Based%20connectivity%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EVNET%20three%20with%20an%20application%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20want%20to%20connect%20VNET%20three%20with%20VNET%20one%20and%20VNET%20two%20and%20have%20bidirectional%20traffic%20going%20so%20offices%2Fsites%20connected%20to%20VNET%20one%20can%20access%20the%20application%20on%20VNET%20three%20and%20send%20traffic%20back%20also%20and%20so%20that%20offices%2Fsites%20connected%20to%20VNET%20two%20can%20also%20access%20the%20same%20application%20on%20VNET%20three%20and%20send%20traffic%20back.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20don't%20see%20right%20now%20how%20I%20can%20achieve%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20someone%20confirms%20my%20thoughts%20here%20or%20tell%20me%20where%20I'm%20wrong%20and%20explain%20what%20options%20I%20have%20in%20the%20end%3F%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EThis%20is%20what%20I%20think%20I%20have%20found%20so%20far%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EVNET%20peering%20is%20only%20possible%20(with%20remote%20gateway%20%2F%20transit%20options)%20once%20between%20two%20VNETS%20-%20I%20cannot%20have%20VNET%20peering%20between%20VNET%20one%20and%20three%20and%20VNET%20two%20and%20three%20in%20that%20sense.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EVNET-to-VNET%20connectivity%20is%20an%20issue%20because%20VNET%20one%20has%20a%20basic%20VPN%20Gateway%20which%20only%20allows%20one%20connection.%20I%20can%20also%20only%20have%20one%20Network%20Gateway%20defined%20within%20a%20VNET%2C%20where%20you%20can%20have%20only%20one%20Gateway%20Subnet%20so%20this%20prevents%20using%20VNET-to-VNET%20connectivity%20between%20the%20different%20VNETs%20in%20the%20end.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20use%20VNET%20peering%20to%20connect%20VNET%20one%20and%20VNET%20three%20which%20works%20fine%2C%20then%20I%20cannot%20set%20up%20VNET-to-VNET%20connectivity%20between%20VNET%20two%20and%20VNET%20three%20because%20of%20the%20VNET%20peering%20that%20exists%20on%20VNET%20three.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20I'm%20not%20sure%20how%20I%20should%20be%20overcoming%20this%20in%20terms%20of%20architecture%20%2F%20connectivity.%20I%20don't%20really%20want%20to%20go%20create%20Virtual%20Machines%20to%20get%20this%20connectivity%20going%20properly%20which%20might%20be%20an%20alternative%20I%20think%20to%20get%20this%20kind%20of%20configuration%20to%20work.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOne%20option%20could%20be%20to%20replace%20our%20office%20VPN%20router%20and%20instead%20of%20using%20Sophos%20UTM9%20go%20for%20a%20VPN%20router%20that%20allows%20IKEv2%20and%20thus%20allows%20route%20based%20connectivity%20to%20Azure.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20regards%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETom%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-783855%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ENetworking%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EVirtual%20Network%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-787437%22%20slang%3D%22en-US%22%3ERe%3A%20Connecting%20a%20VNET%20with%20multiple%20VPN%20Gateways%20(one%20basic%20VPN%20GW%20and%20one%20VPN%20GW1)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-787437%22%20slang%3D%22en-US%22%3EWorked%20around%20it%20be%20creating%20a%20policy%20based%20VPN%20tunnel%20to%20Amazon%20AWS%20and%20using%20a%20transit%20gateway%20to%20connect%20through%20to%20Azure%20since%20this%20connection%20is%20for%20maintenance%2Fsupport%20purposes.%20Latency%20is%20acceptable%20so%20far%20so%20I%E2%80%99ll%20stick%20to%20this%20solution%20for%20the%20time%20being.%20On%20Azure%20I%E2%80%99ve%20got%20VPN%E2%80%99s%20connected%20on%20a%20GWvpn1%20type%20gateway.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-789741%22%20slang%3D%22en-US%22%3ERe%3A%20Connecting%20a%20VNET%20with%20multiple%20VPN%20Gateways%20(one%20basic%20VPN%20GW%20and%20one%20VPN%20GW1)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-789741%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F385700%22%20target%3D%22_blank%22%3E%40Tom_Cenens%3C%2FA%3E%26nbsp%3B%20Route%20based%20vpn%20is%20the%20way%20to%20go%20for%20these%20connectivity%20requirements.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Tom_Cenens
New Contributor

Dears

 

I have set up a new Azure environment that needs to be connected to multiple sites (multiple offices and Amazon AWS). One of those offices uses a Sophos UTM9 router which doesn't support route based Virtual Network Gateway on Azure. So for that site, only policy based VPN connectivity is possible which equals a Basic Virtual Network Gateway on Azure.

 

The other sites do support Route Based VPN connectivity.

 

So at the moment I have three VNETs:

 

VNET one with a Gateway Subnet - Basic VPN connected to our office

VNET two with a Gateway Subnet - Route based (VPN GW1) connected to our Amazon AWS environment - which I will later on also use to connect to other offices that support Route Based connectivity

 

VNET three with an application 

 

I want to connect VNET three with VNET one and VNET two and have bidirectional traffic going so offices/sites connected to VNET one can access the application on VNET three and send traffic back also and so that offices/sites connected to VNET two can also access the same application on VNET three and send traffic back.

 

I don't see right now how I can achieve this.

 

Can someone confirms my thoughts here or tell me where I'm wrong and explain what options I have in the end?


This is what I think I have found so far:

 

VNET peering is only possible (with remote gateway / transit options) once between two VNETS - I cannot have VNET peering between VNET one and three and VNET two and three in that sense.

 

VNET-to-VNET connectivity is an issue because VNET one has a basic VPN Gateway which only allows one connection. I can also only have one Network Gateway defined within a VNET, where you can have only one Gateway Subnet so this prevents using VNET-to-VNET connectivity between the different VNETs in the end.

 

If I use VNET peering to connect VNET one and VNET three which works fine, then I cannot set up VNET-to-VNET connectivity between VNET two and VNET three because of the VNET peering that exists on VNET three.

 

So I'm not sure how I should be overcoming this in terms of architecture / connectivity. I don't really want to go create Virtual Machines to get this connectivity going properly which might be an alternative I think to get this kind of configuration to work.

 

One option could be to replace our office VPN router and instead of using Sophos UTM9 go for a VPN router that allows IKEv2 and thus allows route based connectivity to Azure.

 

Best regards

 

Tom

2 Replies
Worked around it be creating a policy based VPN tunnel to Amazon AWS and using a transit gateway to connect through to Azure since this connection is for maintenance/support purposes. Latency is acceptable so far so I’ll stick to this solution for the time being. On Azure I’ve got VPN’s connected on a GWvpn1 type gateway.

@Tom_Cenens  Route based vpn is the way to go for these connectivity requirements. 

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies