Multiple Azure VPN Gateways - azure

I have been trying to tackle a problem where I need to create a second VPN tunnel to a site (SiteA), this site already has a VPN tunnel set up with our VPN Gateway.
SiteA is unable to create a second tunnel to our VPN gateway public IP, as a route already exists.
I need to knnow can I add a second IP to the vPN gateway, which I think is a NO, but I can't find anything concrete to validate that, and if that's not possible, can we add a second VPN gateway into the same GatewaySubnet, in our hub vNET.
Although I think this would be problematic as how would the traffic from firewall know which tunnel to send the taffic to.
Some backgound: Hub and spoke design with hub consisting of Az firewall and Az VPN gateway. Peered spokes route through FW to get to VPN gateway. Hope that makes sense.
Thanks in advance.

To create a second VPN tunnel to a site (SiteA), which already has a VPN tunnel set up with your VPN Gateway, you can enable your Azure VPN gateway for an active-active configuration, where both instances of the gateway VMs will establish S2S VPN tunnels to your on-premises VPN device, as shown in the following diagram:
Refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable#active-active-vpn-gateways
In the Active-active Azure VPN gateway configuration, each Azure gateway instance will have a unique public IP address, and each will establish an IPsec/IKE S2S VPN tunnel to your on-premises VPN device specified in your local network gateway and connection. You will need to configure your on-premises VPN device to accept or establish two S2S VPN tunnels to the two Azure VPN gateway public IP addresses which are created when active-active option is enabled and because the Azure gateway instances are in active-active configuration, the traffic from your Azure virtual network to your on-premises network will be routed through both tunnels simultaneously, even if your on-premises VPN device may favor one tunnel over the other.
To change/update an existing Azure VPN gateway from active-standby to active-active mode, refer the below doc:
https://learn.microsoft.com/en-us/azure/vpn-gateway/active-active-portal#-update-an-existing-vpn-gateway

Related

Azure Point-to-Site VPN - cannot connect to virtual machines in peered VNets

I have the following in Azure:
HubVNet with VPN Gateway (Point to Site VPN)
Spoke01VNet with one virtual machine
HubVNet and Spoke01VNet are peered with gateway transit enabled
Spoke01VNet is allowing forwarded traffic from HubVNet
I connect to VPN Gateway from my workstation successfully. I have a virtual machine on HubVNet (same as VPN Gateway) and I can successfully RDP to that server (I use it as a jumpbox right now) and can successfully RDP to server in Spoke01VNet from that jumpbox server.
I would like to RDP to server in Spoke01VNet from my workstation but cannot connect. I thought by peering the VNets would allow this to happen when I connected via VPN but not so. Can anyone provide me some assistance on how to do this, if it's possible with a Point-to-Site VPN? Thank you in advance for all your help!!
You could check if you have correctly configured your Hub-spoke network topology in Azure. Read here for more details.
Configure the peering connection in the hub to allow gateway transit.
Configure the peering connection in each spoke to use remote gateways.
Configure all peering connections to allow forwarded traffic.
Once the VNet peering is connected, you could re-download your VPN client package to re-connect the VPN connection on your local machine. This might make the update network effect.

VPN Gateway peering

I know Virtual network peering is a thing but just like that is VPN Gateway peering is a thing? if so then if a VPN Gateway(A) with AD AuthN(OpenVPN SSL tunnel type) and a VPN Gateway(B) with Azure certificate-based authN with SSTP(SSL) tunnel type, Can A and B be peered.
Questions based on above:
Do we have to do S2S peering setup between A and B with manual routing for each to access any resource from A to B and vice versa?
What is the limitation of this setup and advantages(if any)?
Will it be called a Hybrid solution?
If you have two VPN gateways in Azure, you could configure the VNet-to-VNet connections to connect Azure VNets to each other. You don't need manual routing. VNet-to-VNet supports connecting virtual networks. Connecting multiple Azure virtual networks together doesn't require a VPN device unless cross-premises connectivity is required.
When you connect a virtual network to another virtual network with a
VNet-to-VNet connection type (VNet2VNet), it's similar to creating a
Site-to-Site IPsec connection to an on-premises location. Both
connection types use a VPN gateway to provide a secure tunnel with
IPsec/IKE and function the same way when communicating. However, they
differ in the way the local network gateway is configured.
When you create a VNet-to-VNet connection, the local network gateway
address space is automatically created and populated. If you update
the address space for one VNet, the other VNet automatically routes to
the updated address space. It's typically faster and easier to create
a VNet-to-VNet connection than a Site-to-Site connection.
You could read the document for more details.

Azure OpenVPN appliance not traversing virtual network gateway

I deployed an openvpn virtual appliance and clients can reach peered networks, the VNET of the appliance itself, but not the network onpremise that is reachable via the virtual network gateway (routed VPN). When I use the P2S OpenVPN provided from Azure clients can reach onpremise network. What am I missing ?
I deployed an OpenVPN appliance because Azure OpenVPN lacks ccd support.
I solved the problem by adding the OpenVPN client IP range to the VNET address space. I then created a subnet with the same IP range. Obviously, you can't put any resource in this subnet. By then adding this subnet to the route, OpenVPN clients could traverse the gateway.
After my test on my windows client, I can directly access the on-premise network from the Azure VPN gateway based VNet or access the resources in the VPN based VNet from the on-premise network. You could follow these tutorials:
Configure a Point-to-Site connection to a VNet using native Azure certificate authentication: Azure portal
Set up OpenVPNĀ® Protocol on Azure VPN Gateway.
Configure OpenVPN clients for Azure VPN Gateway
I have not deployed an OpenVPN virtual appliance, but I think it will be something like this: Point-to-Site (P2S) connection using OpenVPN infrastructure
According to this quick start, If you use a virtual VPN appliance, It is necessary to create a routing table on Azure so that traffic to your VPN subnet is directed back to your VPN instance and enable IP forwarding for this network interface. You could get more details about custom routes.
Feel free to let me know if I am misunderstanding you.

Connect to an on-premise network from an external computer via an Azure VPN Gateway

My goal is to connect from an external computer to both a Azure virtual network as well as a small on-premise network via an Azure VPN Gateway:
The Azure virtual network has the address range 10.1.0.0/16.
The on-premise network has the address range 10.2.0.0/16.
So far, I have done the following:
Set up a virtual gateway on the virtual network.
The virtual gateway is configured as a point-to-site VPN gateway.
The virtual gateway is connected to the on-premise network via a site-to-site connection.
So the topology looks like this:
VPN-client =p2s=> Azure =s2s=> On-premise
I can now dial in via VPN, but I can only ping addresses within the virtual network. On-premise addresses are not reachable.
I have also added the line
ADD 10.2.0.0 MASK 255.255.0.0 default METRIC default IF default
to the routes.txt file on the VPN client, but it's still not working.
This is not possible to achieve this.
Why
First, Azure VNet is a logic isolation and segmentation. Each virtual network is isolated from other virtual network.
When you try to connect the VNet Via P2S VPN, your client can communicate with resources in the VNet. But it cannot direct the traffic out of the VNet.
When you try to connect the VNet via S2S VPN, your site can communicate with the resources in the VNet.But it cannot direct the traffic out of the VNet.
Because they are using different Gateway and have different CIDR and Azure VNet cannot route the inbound traffic to one specify outbound gateway.
For Example
VNetA <peering or VPN gateway> VNetB <peering or VPN gateway> VNetC
But VNetA cannot communicate with VNetC
This is important for Azure VNet to reach isolation and segmentation.

Azure Site-to-Site network bypassing VPN tunnel

I have a couple of queries about Azure VNet to On-Premises Site-to-Site networking -
As per Azure, Site-to-Site connection between On-Premises and Azure VNet should have a VPN tunnel. For this to happen there should be a VPN supported device at On-Prem and also a VPN Gateway at VNet. Is my understanding correct ?
Secondly, if a custom device capable of VPN functionality is deployed at On-Prem as well as a VM in Azure VNet, can they establish a connection between them without default Azure provided Site-to-Site VPN tunnel ? Is it possible to establish a network in Site-to-Site without VPN tunnel like with just igw's(Internet Gateways in AWS Cloud)?
What is the significance of next hop being "Internet" in azure route table ?
Yes. This device should also have a real external ip address, not behind the NAT.
Yes, you could use, say, Sophos to create VPN without using Azure's default VPN.
Internet. Represents the default Internet gateway provided by the Azure Infrastructure. (https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-udr-overview/)

Resources