locked
Site-to-Site VPN, share Local Network Gateway RRS feed

  • Question

  • I’d like to deploy numerous, independent App Service instances (specifically Mobile Apps) to different Azure Regions (such as West Europe, Southeast Asia, etc.).

    Each of these instances should have a Site-to-Site VPN connection, connecting to an on-premises location in London.

    The resources for each instance will be deployed into Region-specific Azure Resource Groups.

    Specifically in terms of the Azure resources needed to create the Site-to-Site VPN, I’d like to share as much as possible between the App Service instances.

    Am I correct to say that the Local Network Gateway is the only component that could be shared between the instances?
    Is it good practice to share the Local Network Gateway resource, or should I create one for each App Service instance?

    Tuesday, December 6, 2016 7:58 AM

Answers

  • Hello Howard,

    What I meant to say is that if the local network gateway is configured with the correct IPv4 address of the VPN device then it should be able to receive VPN traffic from all your VPN gateways without issues. However, please make sure that the VPN device does not have limitations on the number of gateways that can be connected to it.

    Hope this clears the confusion.

    Regards,

    Loydon

    • Marked as answer by HBSequence Thursday, December 15, 2016 10:11 AM
    Wednesday, December 14, 2016 7:47 PM

All replies

  • Hello,

    Thank you for posting on the Azure forums!

    A local network represents your physical on-premises location. You can select a local network that you've previously created, or you can create a new local network. However, I am not sure how sharing of this local network gateway would work because each VPN Gateway needs to have a local gateway defined. Since you intend to use different App Service instances in different regions you will have to integrate your Mobile App (if you are using a App Service Plan) with separate VNets in region specific resource groups. I don't think sharing will be possible. You could only mention the IPv4 public facing IP of the London location's VPN device in each Local Network but cannot share this with each VPN gateway.

    I would also like to know if you are using an App Service Plan to deploy your Mobile App or a App Service Environment?

    If you use App Service plan then you will have to consider Integrating your app with an Azure Virtual Network. You can then create a VPN Gateway, specify a local network Gateway for each VPN configuration and then enable connectivity.

    If you go with using an App Service Environment then you can manage it better since an ASE is already deployed inside a VNet. Refer to Introduction to App Service Environment for more information.

    Let me know if you need more details or any further assistance on this.

    Regards,

    Loydon

    ________________________________________________________________________________________________________________
    When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer so that other customers can benefit from it.

    Tuesday, December 6, 2016 2:07 PM
  • Hello Loydon

    Thanks for your reply.

    >> A local network represents your physical on-premises location

    Got that.

    I'm using an App Service Plan and each instance would have it's own plan. I've previously followed the page you link to and in the Azure Portal I've created 2 test instances (in different Resource Groups). Each has a VPN Gateway. In a 3rd Resource Group I have a Local Network Gateway. The Portal allows me to configure each VPN Gateway with the Local Network Gateway, so it looks like it is possible to share it.

    However, I need to know if this is good practice to share it.

    Could you advise please?

    Thanks

    Howard



    Tuesday, December 6, 2016 3:32 PM
  • Hello,

    I seemed to have gotten confused with the terminology there. Yes, a Local Network is created as a separate entity and then associated with the VPN gateway. You should be able to link it to any VPN gateway which is in the same resource group (same region). It shouldn't cause any issues until the local Network gateway contains the correct IPv4 address of the VPN device from your London location. Not a bad practice.

    Hope this helps.

    Regards,

    Loydon

    ________________________________________________________________________________________________________________
    When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer so that other customers can benefit from it.


    Tuesday, December 6, 2016 3:50 PM
  • Hi. Thanks for that Loydon.

    >> It shouldn't cause any issues until the local Network gateway contains the correct IPv4 address of the VPN device from your London location

    I'm confused now. I'd like to share the Local Network Gateway when it has been given the correct IPv4 address of the VPN device, so that all of the VPN Gateways will route through to the device.

    Is that possible?

    Thanks

    Howard


    Tuesday, December 6, 2016 4:01 PM
  • Hello Howard,

    What I meant to say is that if the local network gateway is configured with the correct IPv4 address of the VPN device then it should be able to receive VPN traffic from all your VPN gateways without issues. However, please make sure that the VPN device does not have limitations on the number of gateways that can be connected to it.

    Hope this clears the confusion.

    Regards,

    Loydon

    • Marked as answer by HBSequence Thursday, December 15, 2016 10:11 AM
    Wednesday, December 14, 2016 7:47 PM
  • That's great; thanks Loydon
    Thursday, December 15, 2016 9:42 AM