Azure VNET user defined route though VPN gateway

Question

We have two on-premise locations (different IP-ranges) that both are connected to separate VNETs in Azure though site-to-site VPN and VPN gateways.

Devices at location 1 can reach resources in VNET1 and resources in VNET1 can reach on-premise resources at location 1.

Similary devices at location 2 can reach resources in VNET2 and resources in VNET2 can reach on-premise resources at location 2.

Now we want to setup some shared services (Kubernetes cluster) that can be reached from both on-premise locations and that can reach devices at both locations. Devices at location 1 should not reach devices at location 2.

I can use "allow gateway transition" on the one of the peerings. But I cannot use it on both since you can only have it if you don't already have a gateway and on max one peering.

So I've been looking into User Defined Routes (UDR). but I'm not having any luck.

On the "default" subnet in service vnet I try to define a route to 10.252.0.0/16 that's to use 192.168.30.1 (VNET 1 GW) as next hop. That does not work. Do I have to setup some virtual firewall appliance on the two vnets to route via?

Q: How can I make devices at location 1 and 2 access the shared Kubernetes services and how can the Kubernetes services access on-premise resources at both location 1 and 2.

The VNet peering does not pass on the connection from the location 1 to 2. And services in Service VNet can connect your resource in the location 1 and 2. So you do not need the UDR if you do not need to connect from location 1 to 2. — Charles Xu, Jan 15 '19 at 14:13
Like I said, I'm able to setup the first peering with "allow gateway transition" which allows the shared services access to location 1. But as soon as I try to do the same for location 2 I'm blocked because now, in effect, I have a gateway. If you still feel this should work I'm doing something wrong. — Paaland, Jan 15 '19 at 14:15
Sorry, I have misunderstood. So it seems there is a little problem. — Charles Xu, Jan 15 '19 at 14:43
Would you like to remove VNet2, then setup two S2S connections with one VPN gateway in VNet1, Also service Vnet use this remote gateway?See [multiple S2S connections](https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-multi-site-to-site-resource-manager-portal) and this [scenario](https://stackoverflow.com/questions/51903183/connectivity-between-two-site-to-site-vpn-connections-connected-to-azure-vpn-gat) — Nancy, Jan 16 '19 at 02:21
I can't easily do this since the two locations are totally different. One is using policy based routing in an active active setup to two different ISPs. And the other is using the older static routing. Not much I can do with those connections. — Paaland, Jan 16 '19 at 07:02
Could you try to set an NVA in the each subnet of Vnet1 and Vnet2, then just keep Vnet peering? set UDR to route the service vnet traffic to local vnet, and add route table to route local vnet traffic to service vnet in local router. Refer to https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview#gateways-and-on-premises-connectivity — Nancy, Jan 23 '19 at 01:26
@NancyXiong Yes, that's probably what I have to do. When you say NVA, what exactly does that mean? Tried placing a small Ubuntu VM in the VNET 2 and enabled ip-forwarding on both Ubuntu and the NIC via Azure Portal. The created a UDR for the default subnet in serice VNET with "next hop" set to the IP of the VM in VNET 2 and matching rule 10.253.0.0/16. Still the traffic does not go though the VPN. Should this have worked? If so I'll have to ask the VPN provider, perhaps it's blocking traffic outside of 192.168.40.0/24. — Paaland, Jan 23 '19 at 07:41
You could search `Virtual Appliance` in the Azure Marketplace and refer to this wonderful [blog](https://mouradcloud.westeurope.cloudapp.azure.com/blog/blog/2018/07/19/build-azure-hub-and-spoke-using-pfsense-nva-udr-vnet-peering-and-vpn-on-local-router/) to set the UDR. — Nancy, Jan 23 '19 at 09:40

Azure VNET user defined route though VPN gateway

0 Answers0