Express route IPSEC termination

%3CLINGO-SUB%20id%3D%22lingo-sub-1945904%22%20slang%3D%22en-US%22%3EExpress%20route%20IPSEC%20termination%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1945904%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20All%20%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewe%20will%20be%20building%20an%20Express%20route%20for%20our%20traffic%20from%20on%20-prem%20to%20Azure%20vnets%20.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20want%20all%20this%20traffic%20to%20be%20encrypted%20.%20We%20have%20a%20FW%20on-prem%20.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOn%20Azure%20side%20%2C%26nbsp%3B%20So%20we%20have%20to%20rely%20on%20Azure%26nbsp%3B%20VPN%20GW%20%3F%20or%20we%20can%20use%20another%20vendor%20device%20like%20Palo%20Alto%20FW%26nbsp%3B%20inside%20Azure%20VNET%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%20%2C%20if%20Azure%20VGW%20is%20the%20only%20option%20%2C%20how%20many%20tunnels%20can%20be%20terminated%20on%20it%20%3F%20Any%20limit%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1983202%22%20slang%3D%22en-US%22%3ERe%3A%20Express%20route%20IPSEC%20termination%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1983202%22%20slang%3D%22en-US%22%3E%3CP%3EMicrosoft%20describes%20this%20exact%20scenario%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fexpressroute%2Fsite-to-site-vpn-over-microsoft-peering%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ein%20the%20documentation%3C%2FA%3E%3A%20%22VPN%20tunnels%20over%20Microsoft%20peering%20can%20be%20terminated%20either%20using%20VPN%20gateway%2C%20or%20using%20an%20appropriate%20Network%20Virtual%20Appliance%20(NVA)%20available%20through%20Azure%20Marketplace%22%20I%20have%20successfully%20used%20a%20Cisco%20NVA%20for%20terminating%20end-to-end%20VPN%20between%20on-premises%20and%20Azure%20VNETs%2C%20for%20a%20client.%20So%20the%20answer%20is%2C%20yes%20you%20can%20use%20third%20party%20NVA%20to%20establish%20end-to-end%20VPN%20over%20Express%20Route.%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hello All ,

 

we will be building an Express route for our traffic from on -prem to Azure vnets .

 

We want all this traffic to be encrypted . We have a FW on-prem .

 

On Azure side ,  So we have to rely on Azure  VPN GW ? or we can use another vendor device like Palo Alto FW  inside Azure VNET ?

 

Also , if Azure VGW is the only option , how many tunnels can be terminated on it ? Any limit 

1 Reply

Microsoft describes this exact scenario in the documentation: "VPN tunnels over Microsoft peering can be terminated either using VPN gateway, or using an appropriate Network Virtual Appliance (NVA) available through Azure Marketplace" I have successfully used a Cisco NVA for terminating end-to-end VPN between on-premises and Azure VNETs, for a client. So the answer is, yes you can use third party NVA to establish end-to-end VPN over Express Route.