Need For Local Network Gateway when connecting Azure S2S tunnel to AWS

Brass Contributor

Greetings.  According to this article and several others I've read on connecting Azure to AWS resources, a Local Network Gateway is required to be provisioned and configured along with an Azure VPN Gateway on the Azure side.  My question is, why is this the case?  I don't need to have a Local Network Gateway for any other S2S tunnels I've provisioned to on-prem locations, so why is this needed for connectivity to AWS?  Is it because of some compatibility issues between Azure and Amazon VPN gateways, or is it due to something else?  I'd just like to understand why.


Thanks in advance for any light that can be shed!



7 Replies
Hi Brian.
When you create a S2S VPN tunnel, you always need to have 2 endpoints. In case of an Azure S2S VPN, one is the Azure VPN gateway, one is the Local Network Gateway. In Azure, the LNG is just a definition of where the S2S VPN tunnel is terminating.
So when you create the LNG in Azure, you must point this to the IP address of the VPG in AWS and target the Azure VNG as the AWS Customer Gateway.
/Kenneth ML
Thanks Kenneth for your response. I guess what I'm missing is how this is different than other S2S VPN tunnels. For example, when I setup a tunnel to an on-prem location, the other end of the tunnel just terminates on the device (gateway) at the on-prem location. No local network gateway is needed on our end. Yet, with an AWS connection, this local network gateway is needed?


Hi Brian.
The LNG in Azure is really just a pointer to the "other side", this can be another Azure VNG, AWS VPG or on-premise gateway. In Azure you then define the connection between VNG and LNG. Does it make sense??
Hi Kenneth. Thanks again for your response. This still does not explain why an LNG is not needed for other connections. What's special about the connection to AWS that requires the LNG??? As I mentioned above, I have S2S tunnels to many other on-prem locations and don't need an LNG. Why is this required for AWS and not others? Is it due to incompatibilities between AWS VPGs and Azure VPN GWs?


Hi Brian.
I am sorry, but you do need to define an Local Network Gateway in Azure to create a S2S VPN. Otherwise the S2S VPN connection doesn't know which host to connect to. If you have S2S VPN connections you've got to have defined LNGs.


If you use P2S (point to site) VPN, you're right, then you don't need to define a Local Network Gateway.


I have attached an screenshot of a S2S connection definition between an Azure subscription and my home office, in the image you'll see a marking box showing the LNG definition, please disregard the connection is not established. I suggest you have a look at your own subscription and post an image, if you still don't see it.

The reason why you need a local network gateway is this :
"The local network gateway is a specific object that represents your on-premises location (the site) for routing purposes."
Consider on-premises location everything outside Azure even if it can be a public cloud like AWS
Now the use of VPN Gateway is not mandatory you can simply use a Network Virtual Appliance in Azure ( Fortinet Palo Alto Checkpoint ...) to establish your connectivity with AWS and on that side you need also an NVA . In that context LNG is not needed.

best response confirmed by AzureBrian (Brass Contributor)

Hi @Kenneth Meyer-Lassen and @ibrahimambodji.  Thanks for your continued discourse on this. After reviewing your image and comparing with my setup, I think I left out an important detail.  My Azure VPN Gateway is based on a "classic" Service Model based-VNET, rather than ARM-based.  Per this article , in the classic deployment model, the LNG is called a "Local Site" and so the portal interface is different than what you see.  So, I think that's my answer and that difference in terminology was what was throwing me off.  Thanks again for your help in getting me to the answer!