Forum Discussion

AzureBrian's avatar
AzureBrian
Brass Contributor
Apr 16, 2021

Need For Local Network Gateway when connecting Azure S2S tunnel to AWS

Greetings.  According to this article and several others I've read on connecting Azure to AWS resources, a Local Network Gateway is required to be provisioned and configured along with an Azure VPN G...
  • AzureBrian's avatar
    AzureBrian
    Apr 23, 2021

    Hi KennethML and ibnmbodji.  Thanks for your continued discourse on this. After reviewing your image and comparing with my setup, I think I left out an important detail.  My Azure VPN Gateway is based on a "classic" Service Model based-VNET, rather than ARM-based.  Per this article , in the classic deployment model, the LNG is called a "Local Site" and so the portal interface is different than what you see.  So, I think that's my answer and that difference in terminology was what was throwing me off.  Thanks again for your help in getting me to the answer!

     

    Brian

KennethML's avatar
KennethML
Iron Contributor
Hi Brian.
When you create a S2S VPN tunnel, you always need to have 2 endpoints. In case of an Azure S2S VPN, one is the Azure VPN gateway, one is the Local Network Gateway. In Azure, the LNG is just a definition of where the S2S VPN tunnel is terminating.
So when you create the LNG in Azure, you must point this to the IP address of the VPG in AWS and target the Azure VNG as the AWS Customer Gateway.
/Kenneth ML
AzureBrian's avatar
AzureBrian
Brass Contributor
Apr 20, 2021
Thanks Kenneth for your response. I guess what I'm missing is how this is different than other S2S VPN tunnels. For example, when I setup a tunnel to an on-prem location, the other end of the tunnel just terminates on the device (gateway) at the on-prem location. No local network gateway is needed on our end. Yet, with an AWS connection, this local network gateway is needed?

Thanks,

Brian
  • KennethML's avatar
    KennethML
    Iron Contributor
    Apr 22, 2021
    Hi Brian.
    The LNG in Azure is really just a pointer to the "other side", this can be another Azure VNG, AWS VPG or on-premise gateway. In Azure you then define the connection between VNG and LNG. Does it make sense??
    • AzureBrian's avatar
      AzureBrian
      Brass Contributor
      Apr 22, 2021
      Hi Kenneth. Thanks again for your response. This still does not explain why an LNG is not needed for other connections. What's special about the connection to AWS that requires the LNG??? As I mentioned above, I have S2S tunnels to many other on-prem locations and don't need an LNG. Why is this required for AWS and not others? Is it due to incompatibilities between AWS VPGs and Azure VPN GWs?
      • KennethML's avatar
        KennethML
        Iron Contributor
        Apr 23, 2021

        AzureBrian 

        Hi Brian.
        I am sorry, but you do need to define an Local Network Gateway in Azure to create a S2S VPN. Otherwise the S2S VPN connection doesn't know which host to connect to. If you have S2S VPN connections you've got to have defined LNGs.

         

        If you use P2S (point to site) VPN, you're right, then you don't need to define a Local Network Gateway.

         

        I have attached an screenshot of a S2S connection definition between an Azure subscription and my home office, in the image you'll see a marking box showing the LNG definition, please disregard the connection is not established. I suggest you have a look at your own subscription and post an image, if you still don't see it.

Resources