Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,566 questions
How to connect Private-Link resource to a VPN gateway?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 69%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EOC%3C/text%3E%3C/svg%3E)
Omer Cohen
0
Reputation points
Greetings,
I would appreciate assistance with a design to a solution I would like to implement on Azure. Below I summarized all the information and approaches I tried.
- Customer has a private endpoint on a "consumer" VNet, from which I would like to allow them to privately consume a service.
- The private endpoint is to be connected to a private-link resource in a "producer-surrogate" VNet.
- The aforementioned private-link resource will route traffic to a VPN gateway (also contained in the "producer-surrogate" VNet). Said VPN gateway is connected to a remote service VNet hosting the remote service.
- I'm allowed to commit changes only to resources in the "producer-surrogate" VNet, i.e., the private endpoint on the "consumer" VNet is the only way for the consumer to consume.
Connected to the above private endpoint I've looked into:
- A private link service, but those are not supporting a Standard Load Balancer with a backend pool configured by an IP address, hence it cannot be used to route traffic to a VPN gateway. I am aware that routing traffic to a VM, followed by a user defined route, directing traffic to the VPN gateway is possible, but I am not interested in a solution I would have to maintain and scale myself.
- An application gateway connected to a standard Azure Firewall with forced tunneling (which is used to route traffic to the VPN gateway) should work, however, this seems to be an extremely high cost solution for a simple routing job.
I will appreciate your expertise in the matter, Thanks.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 17%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERV%3C/text%3E%3C/svg%3E)
Rohith Vinnakota 1,240 Reputation points Microsoft Vendor2024-10-28T21:37:10.83+00:00 Hi Omer Cohen,
Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.
Use Azure Virtual WAN with a hub-and-spoke topology. In this approach, you can create a hub VNet that contains the VPN gateway and the private-link resource, and connect the remote service VNet and the "producer-surrogate" VNet as spokes to the hub VNet. You can then use Azure Virtual WAN to route traffic between the spokes and the hub, and between the hub and the "consumer" VNet. This approach should be more cost-effective
Refer this:
Share a private link service across Virtual WAN - Azure Virtual WAN | Microsoft Learn
If you have any further concerns, please do not hesitate to contact us. We are pleased to help you.
If the information is helpful, please click on "Upvote" and "Accept Answer" so that it would be helpful to other community members.
-
Rohith Vinnakota 1,240 Reputation points Microsoft Vendor
2024-10-29T22:33:06.6233333+00:00 Hi Omer Cohen,
Greetings,
Just checking in to see if the below answer helped. If this answers your query, do clickAccept AnswerandYesfor was this answer helpful. And, if you have any further query do let us know.Cheers,
Rohith -
Rohith Vinnakota 1,240 Reputation points Microsoft Vendor
2024-10-30T22:15:32.6333333+00:00 Hi Omer Cohen,
Greetings,
Just checking in to see if the below answer helped. If this answers your query, do click
Accept AnswerandYesfor was this answer helpful. And, if you have any further query do let us know.Cheers,
Rohith
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 17%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EOC%3C/text%3E%3C/svg%3E)
Omer Cohen 0 Reputation points2024-11-17T19:59:08.7066667+00:00 Hey @Rohith Vinnakota ,
Sorry for the delay, I didn't receive a notification for your reply.
May you please describe the flow you suggest I'll create?
Should WAN replace a firewall to create the following flow?
private-endpoint -> application gateway -> WAN -> VPN gateway -> remote resource? -
Rohith Vinnakota 1,240 Reputation points Microsoft Vendor
2024-11-19T23:01:48.5433333+00:00 Hi Omer Cohen,
Thank you for getting back.
I Think Kapil handling the same issue. please follow the Kapil instructions.
This is the Link of the same issue: https://learn.microsoft.com/en-us/answers/questions/2114387/exploring-cost-effective-solutions-for-routing-traThanks,
Rohith
Sign in to comment
Sign in to answer