locked
Azure OnPremise to Vnet to Vnet to OnPremise Routing RRS feed

  • Question

  • Hi

    We have got the following Networks:

    OnPremise Network EU - 192.168.1.0 / 24
    VNet1 EUWest - 192.168.2.0 / 24
    VNet2 USA Mid/South - 192.168.3.0 / 24
    OnPremise Network South America - 192.168.4.0 / 24

    I've configured the following Layout:
    OnPremise Network EU <-S2S-> VNet 1 (EU West) <-VNet2VNet-> VNet 2 (USA) <-S2S-> OnPremise Network South America
    All Connections are up, but how and where do i have to configure the needed network routes?

    VPN Device in EU is a Win 2012 R2 RRAS Server.

    I added the following static routes in RRAS:
    192.168.2.0 - 255.255.255.0 - No Gateway - VPN Interface to EU West
    192.168.3.0 - 255.255.255.0 - No Gateway - VPN Interface to EU West
    192.168.4.0 - 255.255.255.0 - No Gateway - VPN Interface to EU West

    So the traffic from OnPremise EU is routet to VNet1. But how to continue to VNet 2 and further?
    I am unable to get a Connection from OnPremise (EU) to VMnet2 (USA)

    I know that i could also build a S2S Connection from OnPremise EU to VMNet2 (USA) and vîce versa.
    This layout is actually just for test purposes. I was wondering if it is possible to get this also to work by Vnet-to-Vnet Connectivity and if we could get a better over all network performance with this layout from EU to South America.

    Friday, August 22, 2014 3:51 PM

Answers

  • Hi Christian:

    Every time you create a VPN connection to a Local Network, routes pointing to the subnets defined within the Local Network are created automatically, so to use your example topology above, let's asume you have the following:

    VNETS:

    1. VNET2 with address space 192.168.2.0/24

    2. VNET3 with address space 192.168.3.0/24

    Local Networks:

    1. NET1 with address space 192.168.1.0/24

    2. VNET2 with address space 192.168.2.0/24

    3. VNET3 with address space 192.168.3.0/24

    4. VNET4 with address space 192.168.4.0/24

    So when you connected VNET2 with NET1 a static route pointing to 192.168.1.0/24 was added to the VPN Gateway created in VNET2 to go over that tunnel; also when you connected VNET2 with VNET3 a route pointing to 192.168.3.0/24 was added on the Gateway but that route used a different exit interface (the VPN for connecting to VNET3); however, as you can see from this, since 192.168.4.0/24 is not defined neither in Local Network NET1 nor VNET3, neither the resources defined in NET1 nor VNET2 know how to reach the resources defined in NET4 and thus will try to use their default Gateway to do so which will result in failure to communicate.

    In order to use VNET2 and VNET3 as transit networks for NET1 and NET4 you need to add subnet 192.168.1.0/24 to Local Network VNET2 and subnet 192.168.4.0/24 to Local Network VNET3 -note these are the Local Networks and not the Virtual Networks-, this way when a packet destined to NET4 arrives at VNET2 it will have a route for it pointing to VNET3 and VNET3 will finally deliver it to NET4. You can configure this in two ways:

    1. In the Azure Management portal go to *Networks | Local Networks*, select the Local Network name for VNET2, click on Edit at the bottom, click on Next in the new window that pops up and then click on address space, there you can add the subnet and its mask, then do the same for VNET3

    2. You can Export the NetConfig.XML file and manually edit it, then import it back. In order to do so you need to go to *Networks* and in the bottom menu click on Export, this will effectively download the NetConfig.XML file to your local machine where you can edit it (I recommedn you making a Backup of it before you edit it), once you are done editing you can import it back in the Management Portal clicking on NEW and selecting IMPORT CONFIGURATION on the new window

    Hth,

    Jorge

    Thursday, August 28, 2014 8:46 PM

All replies

  • Hi,

    VNet-to-VNet connectivity utilizes the Azure VPN gateways to connect two or more virtual networks together securely with IPsec/IKE S2S VPN tunnels. Together with the Multi-Site VPNs, you can connect your virtual networks and on-premises sites together in a topology that suits your business need. 

    There are several scenarios this connectivity can enable. Below is just a partial list:

    • Cross region geo-redundancy and geo-presence; e.g., SQL AlwaysOn across different Azure regions
    • Cross subscription, inter-organization communication in Azure
    • Regional multi-tier applications with strong isolation boundary; or connecting existing workloads in different VNets together to form new applications

    Also, there are a number of requirements and considerations on the VNet-to-VNet feature. Below is a short list of the key points:

    • You MUST create or use the Azure Dynamic Routing VPN gateways to connect your virtual networks. Static Routing VPN gateways are NOT supported for VNet-to-VNet.
    • For each virtual network, you can connect up to 10 “networks”; i.e., both virtual networks and on premises sites combined cannot exceed 10.
    • You need to ensure that the address prefixes don’t overlap among all the connected networks.
    • VNet-to-VNet feature works across regions and subscriptions – same or different regions, single or across subscriptions.

    You might want to check the below link which provides a step by step proceedure to Configure a VNet to VNet Connection

    http://msdn.microsoft.com/en-us/library/azure/dn690122.aspx

    Hope this helps !

    Regards,

    Sowmya

    • Proposed as answer by Sowmya K R Wednesday, August 27, 2014 10:11 AM
    Saturday, August 23, 2014 10:59 AM
  • Hi

    Thanks for your reply.
    Unfortunatly that doesn't help much.

    I know the general purpose of VNet-to-VNet Connectvity. As written above i was able to configure all the needed VNet-to-VNet and Site-to-Site VPN Connections.

    Now i would need some technical advice regarding the needed routing entries.

    As written i got 4 Networks and want to connect them serial.

    Net1 <-> VNet 2 <-> VNet 3 <-> Net4.

    I am able to connect from Net1 to VNet2, from VNet2 to VNet3 and from VNet3 to Net4.
    But i am unable to get a direct connection from Net1 to VNet3 or Net4 and vice versa.

    (How) Is it possible to get this to work that way?


    Monday, August 25, 2014 7:25 AM
  • Hi,

    According to your requirements, personally, you can create a multi-site VPN to connect multiple on-premises sites to a single virtual network gateway. However, please make sure that your on-premise VPN devices support the dynamic routing as only dynamic gateway is support in a multi-site VPN connection.

    For more detailed information, please refer to the links below:

    About VPN Devices for Virtual Network

    Configure a Multi-Site VPN

    Best regards,

    Susie

    Wednesday, August 27, 2014 8:19 AM
  • Hi

    My desire is not to connect mutliple-on-premsies sites to a single virtual Network gateway.
    As written above i am trying to connect multiple-on-premiste sites via VNet-to-VNet Connection.

    Please have a look at the picture below which shows the desired network layout:


    So could you please tell if this is possible and how to configure the needed network routes.

    My Scenario seems to be a bit more complex and that's way am asking here for help.


    Wednesday, August 27, 2014 11:05 AM
  • Hi Christian:

    Every time you create a VPN connection to a Local Network, routes pointing to the subnets defined within the Local Network are created automatically, so to use your example topology above, let's asume you have the following:

    VNETS:

    1. VNET2 with address space 192.168.2.0/24

    2. VNET3 with address space 192.168.3.0/24

    Local Networks:

    1. NET1 with address space 192.168.1.0/24

    2. VNET2 with address space 192.168.2.0/24

    3. VNET3 with address space 192.168.3.0/24

    4. VNET4 with address space 192.168.4.0/24

    So when you connected VNET2 with NET1 a static route pointing to 192.168.1.0/24 was added to the VPN Gateway created in VNET2 to go over that tunnel; also when you connected VNET2 with VNET3 a route pointing to 192.168.3.0/24 was added on the Gateway but that route used a different exit interface (the VPN for connecting to VNET3); however, as you can see from this, since 192.168.4.0/24 is not defined neither in Local Network NET1 nor VNET3, neither the resources defined in NET1 nor VNET2 know how to reach the resources defined in NET4 and thus will try to use their default Gateway to do so which will result in failure to communicate.

    In order to use VNET2 and VNET3 as transit networks for NET1 and NET4 you need to add subnet 192.168.1.0/24 to Local Network VNET2 and subnet 192.168.4.0/24 to Local Network VNET3 -note these are the Local Networks and not the Virtual Networks-, this way when a packet destined to NET4 arrives at VNET2 it will have a route for it pointing to VNET3 and VNET3 will finally deliver it to NET4. You can configure this in two ways:

    1. In the Azure Management portal go to *Networks | Local Networks*, select the Local Network name for VNET2, click on Edit at the bottom, click on Next in the new window that pops up and then click on address space, there you can add the subnet and its mask, then do the same for VNET3

    2. You can Export the NetConfig.XML file and manually edit it, then import it back. In order to do so you need to go to *Networks* and in the bottom menu click on Export, this will effectively download the NetConfig.XML file to your local machine where you can edit it (I recommedn you making a Backup of it before you edit it), once you are done editing you can import it back in the Management Portal clicking on NEW and selecting IMPORT CONFIGURATION on the new window

    Hth,

    Jorge

    Thursday, August 28, 2014 8:46 PM
  • Hi Jorge

    Thanks a lot for your explanation.
    That's exactly what I needed to know. I going to try this soon.

    Regards, Christian 

    Friday, August 29, 2014 2:37 PM