VNet Peering VPN Gateway

Handian Sudianto 5,776

I have 2 Vnet and both Vnet is peered, VM inside Vnet1 can communicate with VM inside Vnet2.

I also have VPN gateway connected to Vnet1, and from my onprem can communicate with vnet1, but why from my onprem can't communicate to vnet2?

2 answers

Marcin Policht 38,000 Reputation points MVP

2025-03-01T14:56:35.0866667+00:00

Follow https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit

In hub-and-spoke network architecture, gateway transit allows spoke virtual networks to share the VPN gateway in the hub, instead of deploying VPN gateways in every spoke virtual network. Routes to the gateway-connected virtual networks or on-premises networks propagate to the routing tables for the peered virtual networks using gateway transit.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin
Please sign in to rate this answer.
Handian Sudianto 5,776 Reputation points

2025-03-01T15:12:09.3433333+00:00

Hi @Marcin Policht

Here peering on vnet1

Here peering on vnet2

with this condition my onprem only can talk with vnet1 and cannot talk with vnet2.

Marcin Policht 38,000 Reputation points MVP

2025-03-01T15:30:55.8133333+00:00

You need to modify your settings. On the peering from the VNet where you deployed the virtual gateway, you need to enable the setting "Allow gateway or route server to forward traffic". On the other VNET peering, you need to enable the setting "Enable to use remote gateway or route server"

Reference the screenshots at https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Handian Sudianto 5,776 Reputation points

2025-03-01T15:36:33.14+00:00

In vnet2 i cant select 'Enable to use remote gateway or route server' because vnet2 also have VNetwrok Gateway but to other sites/subnet.

here the topology

onprem1-----vnet1-----------vnet2---------------onprem2

onprem1 subnet 10.103.148.0/24

vnet1 subnet 172.16.1.0/24

vnet2 subnet 10.201.10.0/24

onprem2 subnet 10.103.255.0/25

No i have requirement to reach 10.201.10.0/24 from onprem1

Marcin Policht 38,000 Reputation points MVP

2025-03-01T15:51:24.39+00:00

It would be helpful if you mentioned this in your original post.

Since VNet2 has its own VPN Gateway, it cannot use the "Use remote gateway" option, preventing automatic transit routing through VNet1’s VPN Gateway.

Consider using VNet-to-VNet instead of VNet peering. Enable BGP on a VNet-to-VNet connection. This should allow transit routing capability to other S2S connections of these two VNets.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Handian Sudianto 5,776 Reputation points

2025-03-01T15:56:39.9566667+00:00

If BGP is enabled on the VPN Gateway in VNet1, configure it to advertise the 10.201.10.0/24 subnet to On-prem1.

How i can advertise 10.201.10.0/24 subnet on VPN Gateway?

On the On-prem1 router, ensure it accepts and forwards traffic for 10.201.10.0/24 via VNet1's VPN Gateway. --> done

Marcin Policht 38,000 Reputation points MVP

2025-03-01T16:00:47.9533333+00:00

Refer to https://learn.microsoft.com/en-us/azure/vpn-gateway/bgp-howto

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Handian Sudianto 5,776 Reputation points

2025-03-01T16:07:21.74+00:00

i think thar article say for adding or updating the bgp peer address and not how to advertise custom subnet to the BGP, am i right?

Marcin Policht 38,000 Reputation points MVP

2025-03-01T21:48:25.7233333+00:00

I clearly misread your scenario - consider using VNet-to-VNet instead of VNet peering. Enable BGP on a VNet-to-VNet connection. This should allow transit routing capability to other S2S connections of these two VNets.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Ganesh Patapati 4,150 Reputation points Microsoft External Staff

2025-03-04T15:39:43.2466667+00:00

Hi Handian Sudianto

Can you please update us if the action plan provided by Marcin Policht was helpful?

Should there be any follow-up questions or concerns, please let us know and we shall try to address them.

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Ganesh Patapati 4,150 Reputation points Microsoft External Staff

2025-03-05T18:19:52.96+00:00

Hi Handian Sudianto

Can you please update us if the action plan provided by Marcin Policht was helpful?

Should there be any follow-up questions or concerns, please let us know and we shall try to address them.

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Marcin Policht 38,000 Reputation points MVP

2025-03-01T23:59:25.14+00:00

Use the following architecture to implement your scenario:

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-bgp-overview#transitrouting

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

VNet Peering VPN Gateway

2 answers

Your answer