Share via

Site-to-Site VPN connection over ExpressRoute private peering not valid

Dean 0 Reputation points
2024-10-18T10:57:14.8866667+00:00

Hello,

It seems this article is either outdated or wrong with what it is currently proposing - the requirements most likely need to change.

We have the same issue as described here, we have full control of the firewall from on-prem and can manipulate the routes as needed.

Our setup
ExpressRoute circuit with private peering - working
ER VPN GateWay and VNET linked with ER connection
VPN GateWay with private IP's enabled
Connection(IPSEC) with private IP's enabled

The IPSEC connection is established but traffic from Azure to on-prem does not prefer it.

Azure needs to send on-prem the routes. This isn’t an on prem to Azure issue, the firewall can manipulate the routes anyway we need to. But if we receive the /16 over the tunnel, the underlay (ER) will drop because that’s how the firewall gets to its IPSec peer IP, by means of the /16 route we get on the ER.

We can’t have the same /16 coming over the underlay and IPSec overlay

Need something more specific for the overlay IPsec subnets

Are we missing something here? It feels like our only other options are:

  1. Using ExpressRoute without IPSEC(can't do this as it's a requirement)
  2. NVA - will need to look into this
  3. Azure VirtualWAN (not viable right now) - can we use AS-PATH prepending with virtual WAN?

Not sure where to go from here but as it stands site-to-site over ExpressRoute and how the configuration is laid out in that article won't work with native Azure resources.

Do you maybe have an example setup that's working with only configuring the wider /16 path over ER and more specific path /24 over VPN on-prem side? If that could be shared then we could do a comparison.

Thanks

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,566 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,532 questions
Azure ExpressRoute
Azure ExpressRoute
An Azure service that provides private connections between Azure datacenters and infrastructure, either on premises or in a colocation environment.
385 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ganesh Patapati 1,745 Reputation points Microsoft Vendor
    2024-11-01T18:37:50.1166667+00:00

    Hello Dean,

    We appreciate your patience!

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    Configuring Site-to-Site VPN and ExpressRoute coexisting connections has several advantages:

    • You can configure a Site-to-Site VPN as a secure failover path for ExpressRoute.
    • Alternatively, you can use Site-to-Site VPNs to connect to sites that aren't connected through ExpressRoute.

    Note

    • If you want to create a Site-to-Site VPN over an ExpressRoute connection, see Site-to-site over Microsoft peering.
    • For ExpressRoute-VPN Gateway coexistence, if you’ve already deployed an ExpressRoute, you do not need to create a virtual network and gateway subnet as these are prerequisites in creating an ExpressRoute.
    • For Encrypted Express Route Gateway, MSS Clamping is done over Azure VPN Gateway to clamp TCP packet size at 1250 bytes

    Limits and limitations

    • Only route-based VPN gateway is supported. You must use a route-based VPN gateway. You also can use a route-based VPN gateway with a VPN connection configured for 'policy-based traffic selectors' as described in Connect to multiple policy-based VPN devices.
    • ExpressRoute-VPN Gateway coexist configurations are not supported on the Basic SKU.
    • Both the ExpressRoute and VPN gateways must be able to communicate with each other via BGP to function properly. If using a UDR on the gateway subnet, ensure that it doesn't include a route for the gateway subnet range itself as this will interfere with BGP traffic.
    • If you want to use transit routing between ExpressRoute and VPN, the ASN of Azure VPN Gateway must be set to 65515. Azure VPN Gateway supports the BGP routing protocol. For ExpressRoute and Azure VPN to work together, you must keep the Autonomous System Number of your Azure VPN gateway at its default value, 65515. If you previously selected an ASN other than 65515 and you change the setting to 65515, you must reset the VPN gateway for the setting to take effect.
    • The gateway subnet must be /27 or a shorter prefix, such as /26, /25, or you receive an error message when you add the ExpressRoute virtual network gateway.

    Refer: https://learn.microsoft.com/en-us/azure/expressroute/how-to-configure-coexisting-gateway-portal?source=recommendations

    Hope this clarifies,

    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

    Regards,

    Ganesh

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.