Multiple Vnets to OnPermis Connection using site to site VPN

%3CLINGO-SUB%20id%3D%22lingo-sub-2202267%22%20slang%3D%22en-US%22%3EMultiple%20Vnets%20to%20OnPermis%20Connection%20using%20site%20to%20site%20VPN%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2202267%22%20slang%3D%22en-US%22%3E%3CP%3EDear%20Friends%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECould%20Anyone%20help%20to%20configure%20the%26nbsp%3BMultiple%20VNets%20to%20OnPermis%20N%2FW%20Connection%20using%20the%20site%20to%20site%20VPN%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20tried%20in%20My%20Home%20lab%20with%20RRAS%2C%20but%20I%20can%20connect%20one%20VNET%20but%20cannot%20reach%20another%20VNets%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20are%20the%20steps%20I%20need%20to%20follow%2C%20to%20connect%20Other%20Vnets%20from%20RRAS%20connected%20Infra%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%26nbsp%3B%3C%2FP%3E%3CP%3ESivarajan%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2210656%22%20slang%3D%22en-US%22%3ERe%3A%20Multiple%20Vnets%20to%20OnPermis%20Connection%20using%20site%20to%20site%20VPN%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2210656%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3B%3C%2FP%3E%0A%3CP%3EFirst%20you%20need%20to%20configure%20vnet%20peerings.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhile%20configuring%3B%3C%2FP%3E%0A%3CP%3E1.%20You%20need%20to%20check%26nbsp%3B%3CSTRONG%3EUse%20this%20virtual%20network's%20gateway%20%3C%2FSTRONG%3Echeckbox%20in%20the%20Vnet%20which%20you%20deploy%20your%20vnet%20gateway%20(Hub%20Vnet)%3C%2FP%3E%0A%3CP%3E2.%26nbsp%3B%20%26nbsp%3BYou%20need%20to%20check%26nbsp%3B%3CSTRONG%3EUse%20the%20remote%20virtual%20network's%20gateway%26nbsp%3B%3C%2FSTRONG%3Echeckbox%20in%20the%20Vnet%20which%20you%20peered%20to%20hub%26nbsp%3B%20(Spoke%20Vnet)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvpn-gateway%2Fvpn-gateway-peering-gateway-transit%23%3A~%3Atext%3DGateway%2520transit%2520is%2520a%2520peering%2CVNet%252Dto%252DVNet%2520connectivity.%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EConfigure%20VPN%20gateway%20transit%20for%20virtual%20network%20peering%20-%20Azure%20VPN%20Gateway%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Dear Friends

 

Could Anyone help to configure the Multiple VNets to OnPermis N/W Connection using the site to site VPN, 

 

I tried in My Home lab with RRAS, but I can connect one VNET but cannot reach another VNets, 

 

What are the steps I need to follow, to connect Other Vnets from RRAS connected Infra 

 

Thanks 

Sivarajan 

2 Replies

Hi;

First you need to configure vnet peerings. 

While configuring;

1. You need to check Use this virtual network's gateway checkbox in the Vnet which you deploy your vnet gateway (Hub Vnet)

2.   You need to check Use the remote virtual network's gateway checkbox in the Vnet which you peered to hub  (Spoke Vnet)

 

Configure VPN gateway transit for virtual network peering - Azure VPN Gateway | Microsoft Docs

@sivaraj86 

 

Hi 

If you have successfully configured your VPN  

You need to add some routing and security configurations . For that you will need  a Netwotk Virtual Appliance like a Next Gen Firewall ( Fortinet Palo Alto Checkpoint ... ) or use Azure Firewall  . 

I'm assuming you have Hub and Spoke Topology 

 

So in The Hub you  may have :

  • Allow  Traffic to remote virtual network (default )
  • Allow Traffic forwarded from remote virtual network (default)
  • Use this virtual network's gateway or Route Server (default to none ) 

In Spoke 

  • Allow  Traffic to remote virtual network (default )
  • Allow Traffic forwarded from remote virtual network (default)
  • Use the remote virtual network's gateway or Route Server (default to none ) 

 

For every spoke  you should

  • Create and configure in a route table  a user defined route to  send traffic 0.0.0.0/0 to the private IP of your Firewall  (Next Hop Virtual Appliance ) 

In Hub you need to

  • create a route  to each scope with the same next hop  (Firewall)  

 

Then create Firewall rules to allow or deny traffic for one vnet to another  

For the subnet traffic rely on network security groups / application  security groups attached to subnets instead of nics 

Avoid Overlapping Address