I have a requirement to build out a networking solution that will have several site-to-site (S2S) VPNs and a point-2-site VPN (P2S). Ideally, we want each service provider/VPN to have its own set of infrastructure - dedicated Virtual Network Gateway as per the diagram:
I am unable to get traffic to flow to/from on-prem to spokes 4 & 5.
I have built some test VMs in various segments which can communicate. For example:
- Spoke 1 > hub > Spoke 4 + 5. ✅
- On-prem > Spoke 1 + 2 + 3. ✅
I can see from the logs that the UDRs are pushing traffic through the firewall.
If I understand the documentation correctly I should be able to achieve this with the currently deployed infrastructure.
If you require connectivity between spokes, consider deploying an Azure Firewall or other network virtual appliance.
All the examples I can find show the VNG in the hub network (for example) - which means it will be shared across service providers.
I also see other examples where there is a vnet-to-vnet VNG (VPN gateway) (for example) between the hub and spoke. Microsoft say:
You can also use a VPN gateway to route traffic between spokes, although this choice will impact latency and throughput.
I am beginning to think the planned design is not possible. Must I have:
- Shared VNG in the hub
- vnet-to-vnet VNG in spokes and hub
- 1 + 2
- Design is possible, therefore route/firewall rules are wrong.
T.I.A
