HI, I have following scenario. Azure region 3 is having traditional hub and spoke connecting to on-premise and other azure regions through WAN network. This set up will migrate to azure vwan . I want to understand Like express route gateway, azure vwan will also advertise on-premises/ azure regions routes to hub vnet If all routes will be advertised by both express route gateway and azure vwan, which path/route will firewall select to reach on-premises If I connect vwan in production environment, will it affect existing connection before I delete it during migration. Can we preconfigure vwan and connect to Hub vnet and not affecting the set up Is there any downtime required, at which step and how much duration required I checked migration steps for this on Microsoft site but want to know migration steps if anyone performed previously

@Siddhesh Rane , Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well. I am afraid your network diagram is misleading. From the diagram, I take is the "WAN" is Azure vWAN and not your MPLS In the vWAN, you have a vHub for Region3 It has both a VPN Gateway and an ExpressRoute Gateway The Region3HubVNet has a ExR Gateway of it's own Please let me know if my understanding is incorrect. Observation : I don't understand the Blue Line between "WAN" and the Region3HubVNet What does it indicate? I see you are trying to establish a connection between the vWANvHub and the Region3HubVNet Please note that a VNET can use only one Gateway at a time It can either use it's own or use the Gateway to which it is peered to, but not both So in your case, since the Region3HubVNet already has a ExR Gateway, you will not be able to connect it to the vWANvHub in the first place See : Spoke VNet should not have a virtual network gateway So the entire question of "routes will be advertised by both express route gateway and azure vwan" is invalid. Now, to answer your queries, 1 . A. If I connect vwan in production environment, will it affect existing connection before I delete it during migration. Can you elaborate? By connections, if you mean the ExpressRoute path - as mentioned earlier, you will not at all be able to peer the Hub to vWAN as long as the Hub has a ExR Gateway 1 . B. Can we preconfigure vwan and connect to Hub vnet and not affecting the set up Yes and this is expected. Preconfigure the vWANvHub's ExR Gateway to connect to the ExR Circuit Then delete the Gateway in the Hub VNET and connect it to the vWAN. 2 . Is there any downtime required, at which step and how much duration required Yes For production workloads, please have a scheduled maintenance window Anywhere around 4-5 hours should be fine. 3 . I checked migration steps for this on Microsoft site but want to know migration steps if anyone performed previously I mentioned the steps in 1 B It's recommended to follow the steps in Official MS Documents See : Migrate to Virtual WAN Please let us know if we can be of any further assistance here. Thanks, Kapil Please Accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer.

Azure traffic routing if both vwan express route connection and traditional express route gateway connection coexists

Accepted answer

KapilAnanth-MSFT 46,876 Reputation points Microsoft Employee

2024-09-25T08:03:34.1+00:00
@Siddhesh Rane ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I am afraid your network diagram is misleading.

From the diagram,

I take is the "WAN" is Azure vWAN and not your MPLS

In the vWAN, you have a vHub for Region3

It has both a VPN Gateway and an ExpressRoute Gateway

The Region3HubVNet has a ExR Gateway of it's own

Please let me know if my understanding is incorrect.

Observation :

I don't understand the Blue Line between "WAN" and the Region3HubVNet

What does it indicate?

I see you are trying to establish a connection between the vWANvHub and the Region3HubVNet

Please note that a VNET can use only one Gateway at a time

It can either use it's own or use the Gateway to which it is peered to, but not both

So in your case, since the Region3HubVNet already has a ExR Gateway, you will not be able to connect it to the vWANvHub in the first place

See : Spoke VNet should not have a virtual network gateway

So the entire question of "routes will be advertised by both express route gateway and azure vwan" is invalid.

Now, to answer your queries,

1 . A. If I connect vwan in production environment, will it affect existing connection before I delete it during migration.

Can you elaborate?

By connections, if you mean the ExpressRoute path - as mentioned earlier, you will not at all be able to peer the Hub to vWAN as long as the Hub has a ExR Gateway

1 . B. Can we preconfigure vwan and connect to Hub vnet and not affecting the set up

Yes and this is expected.

Preconfigure the vWANvHub's ExR Gateway to connect to the ExR Circuit

Then delete the Gateway in the Hub VNET and connect it to the vWAN.

2 . Is there any downtime required, at which step and how much duration required

Yes

For production workloads, please have a scheduled maintenance window

Anywhere around 4-5 hours should be fine.

3 . I checked migration steps for this on Microsoft site but want to know migration steps if anyone performed previously

I mentioned the steps in 1 B

It's recommended to follow the steps in Official MS Documents

See : Migrate to Virtual WAN

Please let us know if we can be of any further assistance here.

Thanks,

Kapil

Please Accept an answer if correct.

Original posters help the community find answers faster by identifying the correct answer.
Please sign in to rate this answer.

1 person found this answer helpful.
Siddhesh Rane 61 Reputation points

2024-09-25T13:14:57.62+00:00

Hi Kapil,

Thanks for your reply. WAN referees to customer SDWAN network. Customer is having all on-premises and other azure regions connected via SDWAN network to Azure region 3. Blue line indicate existing traffic flow path

onpremise -> SDWAN -> express route ckt -> express route GW -> FW -> Spoke VM.

In point 3, I want to check is that if I connect vwan to region 3 hub vnet then will it affect existing traffic going through hub express route circuit. (may be because of routes will get advertised by both ER gateways to HUb vnet). Is my understanding correct?

We want to migrate set up to azure vwan. Currently vwan is not there. I want to set up vwan, terminate Third party IPSec VPN and connect to existing express route circuit so that third party will connect to on-premise locations. After that we will connect vwan to region 3.

Based on migration steps and information provide by you, I understood that we need to take downtime and then perform vwan vnet connection with hub vnet, establish connectivity and delete the existing express route connection. I can take maintenance window of 3 hrs but exact down time will be required around 30 to 45 mins for vwan connection and routing changes. Is my understanding correct?

KapilAnanth-MSFT 46,876 Reputation points Microsoft Employee

2024-09-25T14:42:00.6633333+00:00

@Siddhesh Rane ,

Thanks for clarifying the architecture.

My point still stands.

In your case, since the Region3HubVNet already has a ExR Gateway, you will not be able to connect it to the vWANvHub in the first place as long as the ExR Gateway exists.

See : Spoke VNet should not have a virtual network gateway

To address your queries,

1 . I want to check is that if I connect vwan to region 3 hub vnet then will it affect existing traffic going through hub express route circuit. (may be because of routes will get advertised by both ER gateways to HUb vnet). Is my understanding correct?

No

As I mentioned earlier, you will not be able to connect this Hub VNET to the vWAN as long as this Hub VNET has a Gateway in it.

So "routes will get advertised by both ER gateways" is invalid.

2 . A. Based on migration steps and information provide by you, I understood that we need to take downtime and then perform vwan vnet connection with hub vnet, establish connectivity and delete the existing express route connection.

Incorrect.

You have to delete the Gateway in the Hub VNET First

Only then should you be able to connect it to the vWAN.

2 . B. I can take maintenance window of 3 hrs but exact down time will be required around 30 to 45 mins for vwan connection and routing changes. Is my understanding correct?

I would recommend you take 4-5 hours for worst case scenario

There isn't any specific mention of CRUD operation time required in our docs - this varies depends on the control plane traffic and region's load

Generally, gateway operations should take 45 minutes as worst-case scenario.

Please plan accordingly on further configuration and testing the traffic .

Hope this clarifies

Cheers,

Kapil

Siddhesh Rane 61 Reputation points

2024-09-25T15:06:38.2+00:00

Hi Kapil,

Thanks for clarification. I will create the vwan hub before activity and will not connect to Azure region 3 directly. During downtime only, i will perform the connectivity. Based on your suggestion, I will first remove existing express route connectivity and then connect vwan to region 3.

Just last query ...when I will configure vwan with express route connection and VPN gateway as shown in the diagram (will not directly connect with regions 3), whether following connectivity work before actual migration

Traffic between Third party vendor and onpremise/region2/region3

Third party -> VPN connection -> vwan vpn gw -> vwan exp gw -> MPLS/SDWAN -> onpremise/region2/region 3

Traffic between Third party vendor and onpremise/region2/region3

Third party -> VPN connection -> vwan vpn gw -> vwan exp gw -> MPLS/SDWAN -> HUB Exp GW -> FW -> Spoke VM

KapilAnanth-MSFT 46,876 Reputation points Microsoft Employee

2024-09-26T06:48:36.44+00:00

@Siddhesh Rane , We are glad to assist.

Can you please elaborate your question on what do you mean by "(will not directly connect with regions 3)" ?

I don't see a "Third party VPN" on the diagram.

If you have a third party connecting to your MPLS via a VPN,

It will be able to connect to any network on the vWAN as long as the routes are exchanged by your MPLS to the vWAN (via BGP)

See : Any-to-any vWAN

This scenario is enabled by default for Standard Virtual WAN

Looking at your diagram, this should speak to

OnPrem/Region1/Region2 via the MPLS itself

Region3 via MPLS ----> vWAN ----> Region3VNET(s)

If you have a third party connecting to your vWAN VPN Gateway via a VPN,

OnPrem/Region1/Region2 via the vWAN ----> MPLS

Region3 directly.

Hope this helps.

Thanks,

Kapil

Please Accept an answer if correct.

Original posters help the community find answers faster by identifying the correct answer.

Siddhesh Rane 61 Reputation points

2024-09-26T08:27:14.1366667+00:00

Hi Kapil,

Thanks for your reply. I will perform activity in 2 phases.

Phase 1 - Deploy VWAN , EXR GW,VPN GW and its configurations

Phase 2 - Migration to VWAN, vnet connection to hub vnet region 3 and routing etc.

I believe your response is applicable to phase 2. The above query I asked belongs to phase 1 where vwan is not connected to region 3 hub vnet.

As you can see in traffic flow, third party VPN connection will be terminated on vwan. In phase1, traffic between Third party VPN and on-premises/region1/region 2 and region 3 will follow below path

Traffic between Third party vendor and onpremise/region1/region2

Third party -> VPN connection -> vwan vpn gw -> vwan exp gw -> MPLS/SDWAN -> onpremise/region1/region 2

2. Traffic between Third party vendor and onpremise/region2/region3

Third party -> VPN connection -> vwan vpn gw -> vwan exp gw -> MPLS/SDWAN -> HUB Exp GW -> FW -> Spoke VM (region3)

I hope my understanding is correct.

Thanks once again for your guidance.

Rgds

Siddhesh

KapilAnanth-MSFT 46,876 Reputation points Microsoft Employee

2024-09-26T08:40:10.33+00:00

@Siddhesh Rane , That explanation helps.

In Phase 1,

1 . Traffic between Third party vendor and onpremise/region1/region2

Yes

The flow will work as long as vWAN and MPLS advertise routes to each other

This is by default in vWAN Standard.

2 . Traffic between Third party vendor and onpremise/region2/region3

I think the question should be for just "region3"

As "onpremise" and "region2" are addressed already in #1

Yes, this is also correct.

vWAN will exchange "Third Party" 's routes to MPLS and if MPLS advertises these routes to the HUB VNet ExR Gateway in Region3, Region3 VNET and Spoke VNET should be able to communicate to the Third party

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Siddhesh Rane 61 Reputation points

2024-09-26T11:30:03.55+00:00

Thanks Kapil

Siddhesh Rane 61 Reputation points

2024-09-26T11:31:31.7166667+00:00

Yes ....It's my bad typo error. 2nd traffic flow is for region 3 only.

Thanks for you help and support

KapilAnanth-MSFT 46,876 Reputation points Microsoft Employee

2024-09-26T11:38:20.1+00:00

@Siddhesh Rane ,

Thanks for your continued contribution on Q&A and appreciate much for taking the time to share your feedback
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Azure traffic routing if both vwan express route connection and traditional express route gateway connection coexists

0 additional answers

Your answer