Connecting a VNET with multiple VPN Gateways (one basic VPN GW and one VPN GW1)

%3CLINGO-SUB%20id%3D%22lingo-sub-783855%22%20slang%3D%22en-US%22%3EConnecting%20a%20VNET%20with%20multiple%20VPN%20Gateways%20(one%20basic%20VPN%20GW%20and%20one%20VPN%20GW1)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-783855%22%20slang%3D%22en-US%22%3E%3CP%3EDears%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20set%20up%20a%20new%20Azure%20environment%20that%20needs%20to%20be%20connected%20to%20multiple%20sites%20(multiple%20offices%20and%20Amazon%20AWS).%20One%20of%20those%20offices%20uses%20a%20Sophos%20UTM9%20router%20which%20doesn't%20support%20route%20based%20Virtual%20Network%20Gateway%20on%20Azure.%20So%20for%20that%20site%2C%20only%20policy%20based%20VPN%20connectivity%20is%20possible%20which%20equals%20a%20Basic%20Virtual%20Network%20Gateway%20on%20Azure.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20other%20sites%20do%20support%20Route%20Based%20VPN%20connectivity.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20at%20the%20moment%20I%20have%20three%20VNETs%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EVNET%20one%20with%20a%20Gateway%20Subnet%20-%20Basic%20VPN%20connected%20to%20our%20office%3C%2FP%3E%3CP%3EVNET%20two%20with%20a%20Gateway%20Subnet%20-%20Route%20based%20(VPN%20GW1)%20connected%20to%20our%20Amazon%20AWS%20environment%20-%20which%20I%20will%20later%20on%20also%20use%20to%20connect%20to%20other%20offices%20that%20support%20Route%20Based%20connectivity%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EVNET%20three%20with%20an%20application%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20want%20to%20connect%20VNET%20three%20with%20VNET%20one%20and%20VNET%20two%20and%20have%20bidirectional%20traffic%20going%20so%20offices%2Fsites%20connected%20to%20VNET%20one%20can%20access%20the%20application%20on%20VNET%20three%20and%20send%20traffic%20back%20also%20and%20so%20that%20offices%2Fsites%20connected%20to%20VNET%20two%20can%20also%20access%20the%20same%20application%20on%20VNET%20three%20and%20send%20traffic%20back.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20don't%20see%20right%20now%20how%20I%20can%20achieve%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20someone%20confirms%20my%20thoughts%20here%20or%20tell%20me%20where%20I'm%20wrong%20and%20explain%20what%20options%20I%20have%20in%20the%20end%3F%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EThis%20is%20what%20I%20think%20I%20have%20found%20so%20far%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EVNET%20peering%20is%20only%20possible%20(with%20remote%20gateway%20%2F%20transit%20options)%20once%20between%20two%20VNETS%20-%20I%20cannot%20have%20VNET%20peering%20between%20VNET%20one%20and%20three%20and%20VNET%20two%20and%20three%20in%20that%20sense.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EVNET-to-VNET%20connectivity%20is%20an%20issue%20because%20VNET%20one%20has%20a%20basic%20VPN%20Gateway%20which%20only%20allows%20one%20connection.%20I%20can%20also%20only%20have%20one%20Network%20Gateway%20defined%20within%20a%20VNET%2C%20where%20you%20can%20have%20only%20one%20Gateway%20Subnet%20so%20this%20prevents%20using%20VNET-to-VNET%20connectivity%20between%20the%20different%20VNETs%20in%20the%20end.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20use%20VNET%20peering%20to%20connect%20VNET%20one%20and%20VNET%20three%20which%20works%20fine%2C%20then%20I%20cannot%20set%20up%20VNET-to-VNET%20connectivity%20between%20VNET%20two%20and%20VNET%20three%20because%20of%20the%20VNET%20peering%20that%20exists%20on%20VNET%20three.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20I'm%20not%20sure%20how%20I%20should%20be%20overcoming%20this%20in%20terms%20of%20architecture%20%2F%20connectivity.%20I%20don't%20really%20want%20to%20go%20create%20Virtual%20Machines%20to%20get%20this%20connectivity%20going%20properly%20which%20might%20be%20an%20alternative%20I%20think%20to%20get%20this%20kind%20of%20configuration%20to%20work.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOne%20option%20could%20be%20to%20replace%20our%20office%20VPN%20router%20and%20instead%20of%20using%20Sophos%20UTM9%20go%20for%20a%20VPN%20router%20that%20allows%20IKEv2%20and%20thus%20allows%20route%20based%20connectivity%20to%20Azure.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20regards%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETom%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-783855%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ENetworking%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EVirtual%20Network%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-787437%22%20slang%3D%22en-US%22%3ERe%3A%20Connecting%20a%20VNET%20with%20multiple%20VPN%20Gateways%20(one%20basic%20VPN%20GW%20and%20one%20VPN%20GW1)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-787437%22%20slang%3D%22en-US%22%3EWorked%20around%20it%20be%20creating%20a%20policy%20based%20VPN%20tunnel%20to%20Amazon%20AWS%20and%20using%20a%20transit%20gateway%20to%20connect%20through%20to%20Azure%20since%20this%20connection%20is%20for%20maintenance%2Fsupport%20purposes.%20Latency%20is%20acceptable%20so%20far%20so%20I%E2%80%99ll%20stick%20to%20this%20solution%20for%20the%20time%20being.%20On%20Azure%20I%E2%80%99ve%20got%20VPN%E2%80%99s%20connected%20on%20a%20GWvpn1%20type%20gateway.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-789741%22%20slang%3D%22en-US%22%3ERe%3A%20Connecting%20a%20VNET%20with%20multiple%20VPN%20Gateways%20(one%20basic%20VPN%20GW%20and%20one%20VPN%20GW1)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-789741%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F385700%22%20target%3D%22_blank%22%3E%40Tom_Cenens%3C%2FA%3E%26nbsp%3B%20Route%20based%20vpn%20is%20the%20way%20to%20go%20for%20these%20connectivity%20requirements.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Dears

 

I have set up a new Azure environment that needs to be connected to multiple sites (multiple offices and Amazon AWS). One of those offices uses a Sophos UTM9 router which doesn't support route based Virtual Network Gateway on Azure. So for that site, only policy based VPN connectivity is possible which equals a Basic Virtual Network Gateway on Azure.

 

The other sites do support Route Based VPN connectivity.

 

So at the moment I have three VNETs:

 

VNET one with a Gateway Subnet - Basic VPN connected to our office

VNET two with a Gateway Subnet - Route based (VPN GW1) connected to our Amazon AWS environment - which I will later on also use to connect to other offices that support Route Based connectivity

 

VNET three with an application 

 

I want to connect VNET three with VNET one and VNET two and have bidirectional traffic going so offices/sites connected to VNET one can access the application on VNET three and send traffic back also and so that offices/sites connected to VNET two can also access the same application on VNET three and send traffic back.

 

I don't see right now how I can achieve this.

 

Can someone confirms my thoughts here or tell me where I'm wrong and explain what options I have in the end?


This is what I think I have found so far:

 

VNET peering is only possible (with remote gateway / transit options) once between two VNETS - I cannot have VNET peering between VNET one and three and VNET two and three in that sense.

 

VNET-to-VNET connectivity is an issue because VNET one has a basic VPN Gateway which only allows one connection. I can also only have one Network Gateway defined within a VNET, where you can have only one Gateway Subnet so this prevents using VNET-to-VNET connectivity between the different VNETs in the end.

 

If I use VNET peering to connect VNET one and VNET three which works fine, then I cannot set up VNET-to-VNET connectivity between VNET two and VNET three because of the VNET peering that exists on VNET three.

 

So I'm not sure how I should be overcoming this in terms of architecture / connectivity. I don't really want to go create Virtual Machines to get this connectivity going properly which might be an alternative I think to get this kind of configuration to work.

 

One option could be to replace our office VPN router and instead of using Sophos UTM9 go for a VPN router that allows IKEv2 and thus allows route based connectivity to Azure.

 

Best regards

 

Tom

2 Replies
Highlighted
Worked around it be creating a policy based VPN tunnel to Amazon AWS and using a transit gateway to connect through to Azure since this connection is for maintenance/support purposes. Latency is acceptable so far so I’ll stick to this solution for the time being. On Azure I’ve got VPN’s connected on a GWvpn1 type gateway.
Highlighted

@Tom_Cenens  Route based vpn is the way to go for these connectivity requirements.