Join Log in
Score:0
avatar Server

Site to Site Azure VPN with 2 VNET's

ru flag
Jon Drew

I have 2 VNETs in Azure.

AppVnet -10.0.0./24 -- Peered
Dbvnet - 10.10.0.0/24 -- Peered.

Firewall Sonic wall. Current status: VPN tunnel is created(route-based) and connected from on-prem to AppVnet and VM's on AppVnet to On-prem

peering is completed, DBvnet used a remote virtual network, and it connects with AppVnet.

The challenge. DbVnet cannot connect with on-prem and on-prem cannot connect with DBvnet.

41
0 + 0
Score:0
avatar Server
ng flag
Sam Cogan

You have effectively created a hub and spoke type setup here, with AppVnet being your hub, DbVnet being the spoke, and your VPN connecting your on-prem network to the hub. By default there is no transitive routing over vnet peering, so your on-prem network will not be able to talk to the DBvNet.

As per this article, you need to configure your peering connections to allow this. This mentions ExpressRoute, but the scenario is the same for VPN Gateways.

When an ExpressRoute circuit is connected into the Hub-and-Spoke design, the BGP routes that are advertised from on-prem into the ExpressRoute virtual gateway will not natively transit into the Spoke VNets. Instead, these routes will populate in the Hub VNet only. Likewise, the ExpressRoute gateway will not natively advertise Spoke VNet routes out, and instead, will only advertise the network ranges that belong to the Hub VNet. In order to allow the ExpressRoute virtual gateway to advertise routes from Hub to Spoke, you must select the “Allow Gateway Transit” option in the VNet peering panel of the Hub. And then to allow the Spoke VNet routes to transit out of the ExpressRoute gateway, you must select the “Use Remote Gateway” option in the VNet peering panel of the Spoke. Once complete, all on-prem BGP routes advertised through ExpressRoute will be visible in the Hub and all participating Spokes, and vise-versa.

0 + 0
ru flag
Jon Drew
I have tried that doesn't work. gateway transit
0
Reply
ng flag
Sam Cogan
Have you set both settings, gateway transit and use remote gateway?
0
Reply
ng flag
Sam Cogan
Use remote gateway needs to be set on the spoke vNet, so the db one.
0
Reply
ru flag
Jon Drew
I think I need to setup another VNG on DBvnet nd another VPN on firewall
0
Reply
ru flag
Jon Drew
Just logged in and confirm Gateway transit is allowed on AppVnet and use remote is selected on DBvnet
0
Reply
ru flag
Jon Drew
any suggestions or should I setup another VNG?
0
Reply
Massimo avatar
ng flag
Massimo
You also need to add DbNet's IP address range to the VPN config of your firewall, otherwise it won't know it needs to send traffic for that destination to the VPN tunnel.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.