What is the use of Expressroute gateway and VPN Gateway? - azure

We're setting up IPSEC Over Express route. I was wondering what's the need of VPN gateway and Express Route gateway?
My understanding is that with VPN gateway we can connect over the internet and establish a IPSec Tunnel. But why is it mandatory to create a VPN gateway (when the case is that I want to connect to site-to-site vpn over Express route).
Without creating a VPN gateway, we can't create VPN sites and links. I'm wondering why it's like that.
Expressroute gateway needs to be created in order to establish a connection to Express route circuits. But here also I don't understand the use of Gateway in general.
Is the gateway purpose is just to establish a connection between Azure cloud and Site-to-site or Azure cloud to Expressroute circuits?

The Gateway is used to setup the connection to an ExpressRoute Circuit.
The Gateway can be used for both the purpose of establishing a connection to an ExpressRoute Circuit, and a S2S connection.
It's just a device. The way you configure it determines if it is a S2S over internet, or a S2S via expressroute.
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways
When you configure a virtual network gateway, you configure a setting that specifies the gateway type. The gateway type determines how the virtual network gateway will be used and the actions that the gateway takes. The gateway type 'Vpn' specifies that the type of virtual network gateway created is a 'VPN gateway'. This distinguishes it from an ExpressRoute gateway, which uses a different gateway type. A virtual network can have two virtual network gateways; one VPN gateway and one ExpressRoute gateway.
I hope that's a clear enough answer to your question.

Related

Multiple Azure VPN Gateways

I have been trying to tackle a problem where I need to create a second VPN tunnel to a site (SiteA), this site already has a VPN tunnel set up with our VPN Gateway.
SiteA is unable to create a second tunnel to our VPN gateway public IP, as a route already exists.
I need to knnow can I add a second IP to the vPN gateway, which I think is a NO, but I can't find anything concrete to validate that, and if that's not possible, can we add a second VPN gateway into the same GatewaySubnet, in our hub vNET.
Although I think this would be problematic as how would the traffic from firewall know which tunnel to send the taffic to.
Some backgound: Hub and spoke design with hub consisting of Az firewall and Az VPN gateway. Peered spokes route through FW to get to VPN gateway. Hope that makes sense.
Thanks in advance.
To create a second VPN tunnel to a site (SiteA), which already has a VPN tunnel set up with your VPN Gateway, you can enable your Azure VPN gateway for an active-active configuration, where both instances of the gateway VMs will establish S2S VPN tunnels to your on-premises VPN device, as shown in the following diagram:
Refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable#active-active-vpn-gateways
In the Active-active Azure VPN gateway configuration, each Azure gateway instance will have a unique public IP address, and each will establish an IPsec/IKE S2S VPN tunnel to your on-premises VPN device specified in your local network gateway and connection. You will need to configure your on-premises VPN device to accept or establish two S2S VPN tunnels to the two Azure VPN gateway public IP addresses which are created when active-active option is enabled and because the Azure gateway instances are in active-active configuration, the traffic from your Azure virtual network to your on-premises network will be routed through both tunnels simultaneously, even if your on-premises VPN device may favor one tunnel over the other.
To change/update an existing Azure VPN gateway from active-standby to active-active mode, refer the below doc:
https://learn.microsoft.com/en-us/azure/vpn-gateway/active-active-portal#-update-an-existing-vpn-gateway

Why does the Azure Virtual Network Express Route Gateway require public IP?

I need to setup connection between Express Route and VNET in Azure.
It requires to create Virtual Network Gateway as Express Route Gateway type.
This Gateway ask for public IP.
So, I wonder why we need the public IP? Can Vnet and Express route can interact through private IP?
Please help me answer.
The answer is in the Microsoft FAQ:
The public IP address is used for internal management only, and
doesn't constitute a security exposure of your virtual network.
Vpn gateway is used to send the encrypted traffic across the public internet for this communication it requires a public IP. The public IP assigned to the virtual network gateway will let you connect Azure VPN gateway from your on-premises network or the Internet.
When you create a virtual network gateway, you need to specify several settings. One of the required settings, '-GatewayType', specifies whether the gateway is used for ExpressRoute, or VPN traffic. The two gateway types are:
Vpn - you use the gateway type 'Vpn'. to setup Site-to-Site, Point-to-Site, and VNet-to-VNet connections all use a VPN gateway.
ExpressRoute - To send network traffic on a private connection, you use the gateway type 'ExpressRoute'. This is also referred to as an ExpressRoute gateway and is the type of gateway used when configuring ExpressRoute.
Reference

Is transit gateway available under the co-existence of Express Route Gateway and VPN Gateway in Azure?

I am planning to use hub and spoke network topology in my Azure environment. At the same time, it is required to establish a connection between my on-premise network and Azure environment using Express Route with S2S VPN as the backup.
I wonder if I still can use my S2S VPN/Express Route as the transit gateway in this scenario? If it is okay, can I choose S2S VPN gateway as my transit gateway? Thanks.

VPN Gateway peering

I know Virtual network peering is a thing but just like that is VPN Gateway peering is a thing? if so then if a VPN Gateway(A) with AD AuthN(OpenVPN SSL tunnel type) and a VPN Gateway(B) with Azure certificate-based authN with SSTP(SSL) tunnel type, Can A and B be peered.
Questions based on above:
Do we have to do S2S peering setup between A and B with manual routing for each to access any resource from A to B and vice versa?
What is the limitation of this setup and advantages(if any)?
Will it be called a Hybrid solution?
If you have two VPN gateways in Azure, you could configure the VNet-to-VNet connections to connect Azure VNets to each other. You don't need manual routing. VNet-to-VNet supports connecting virtual networks. Connecting multiple Azure virtual networks together doesn't require a VPN device unless cross-premises connectivity is required.
When you connect a virtual network to another virtual network with a
VNet-to-VNet connection type (VNet2VNet), it's similar to creating a
Site-to-Site IPsec connection to an on-premises location. Both
connection types use a VPN gateway to provide a secure tunnel with
IPsec/IKE and function the same way when communicating. However, they
differ in the way the local network gateway is configured.
When you create a VNet-to-VNet connection, the local network gateway
address space is automatically created and populated. If you update
the address space for one VNet, the other VNet automatically routes to
the updated address space. It's typically faster and easier to create
a VNet-to-VNet connection than a Site-to-Site connection.
You could read the document for more details.

Azure expressroute and VPN with Third Party NVA

I have a pair of FortiGate NVAs that will act as a termination point for IPSec VPN tunnels as well as serve as a backup connection for remote sites that are using expressroute.
The examples online from Microsoft show a similar solution but using the native VPN gateway. I need some help understanding how I can handle routing and failover when I am not using the native VPN gateway.
The parter is providing the expressroute as a spoke off of the existing MPLS network. Routes will be exchanged with Azure that way. I have never worked with expressroute before but I would assume that if the circuit fails or the remote site is unable to access the circuit, that specific route would be removed from the table in Azure via the eBGP relationship from the partner. I am not fully understanding how failover would occur.
A bit more about the architecture:
Two Vnets. One Vnet is the 'gateway' vnet. This would house all of the subnets for the FortiGate NVAs as well as a subnet for the expressroute object. There would be a single UDR for this Vnet. There would then be a second Vnet where shared services would live. This Vnet would be peered with the gateway Vnet. Access to the Internet would exit via the NVAs and remote site traffic would exit via the expressroute object. Where in this scenario would traffic be diverted if the expressroute failed? At the UDR?
Thanks!
If you have express route deployed in a VNET and you start advertising routes from On-Premises,then when see the effective routes of your NVA you can see On-Premises routes next hop as Express route MSEE IP.
When the circuit goes down, those routes will be revoked.
If you have VPN gateway and Express route which is a co-existence setup, where in Express route you are advertising the On-Prem route and with VPN you have declared the routes of On-Premises in Local Network Gateway, and if you see the effective routes in your NVA's NIC, you will have 2 routes to On-Premises, one with Express route and another with VPN. Express route will be the preferred route than VPN. And if Express route fails, the other route which is in place will be acting as a failover.
In your case, if express route fails, the route to On-Prem via Express route will be revoked and you need add a route to forward the traffic via the tunnel.Or else traffic gets dropped in your NVA.

Resources