Forum Discussion

Copper Contributor

Jan 23, 2022

Virtual Network Gateway

Hi There, I wanted to setup a Express route gateway and VPN on my Virtual Network gateway. I have Hub and Spoke model, where I create one subnet "GatewaySubnet" on hub vnet, Can I able to create...

ChrisBradshaw

Iron Contributor

This page explains how to configure an ExpressRoute and S2S VPN alongside each other. Does that help?
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager

ramakrishnanv

Copper Contributor

Jan 26, 2022

ChrisBradshaw

Thanks for your response.

Basically we wanted to achieve as shown in below:

With out forcing the traffic to PAFW I can successfully establish the tunnel. Spoke to Spoke communication also working as expected. But I wanted force the traffic PA first then pass on to VPNGW in order to establish the tunnel. Similarly from outbound after VPN lands on VPNGW it should be pass thru PAFW.

ChrisBradshaw
Iron Contributor
Jan 27, 2022
ramakrishnanv
Have you implemented any User-defined routes here? I would suggest that your spoke subnets might need a default route where the next hop is the Virtual Appliance address of the firewall. The firewall in turn would then have a next hop of the VPN connection:
Some details on User Defined Routes here: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview
- ramakrishnanv
  Copper Contributor
  Feb 05, 2022
  Yes Chris,
  Placed the UDR with default route done at the spoke. Found the issue. there should be another route in the NVA(PAFW) has to be in place which pointing to Gatewaysubnet default gateway IP(in our case 10.0.0.1 < subnet 1st ip>) , so that traffic would be pick up by VPN gateway in order to encrypt and send them over to internet. Thanks for your response.