I'm working on setting up a site-to-site VPN over an ExpressRoute circuit's private peering, mainly driven by regulations that require encryption for PII data in transit. I plan to use a VPN gateway with private IPs and no BGP configuration. The on-premises VPN will terminate at two FortiGate firewalls configured in high availability. I've already checked Microsoft's documentation on configuring a site-to-site VPN connection over ExpressRoute private peering and using it as a backup for ExpressRoute.
Here's a bit about my current setup:
- I'm using a hub and spoke network topology.
- There's an Azure firewall in the hub VNet to manage ingress and egress traffic.
- Spoke subnets route traffic to the Azure firewall's internal IP.
- An ExpressRoute circuit has been provisioned, advertising the hub VNet and the peered spoke VNet CIDR ranges to on-premises.
Now, I have a couple of questions:
1. The docs suggest that specific CIDR ranges can be advertised over the site-to-site VPN, while broader Azure CIDRs will travel via the ExpressRoute. What routing approach should I take to prefer certain CIDR ranges?
2. As local network gateways require a public IP, I'm wondering if this contradicts the intent of an overlay VPN if I'm trying to keep traffic encrypted over the ExpressRoute. Can local network gateways define the FortiGate VPN's endpoint IP, which normally would be a public IP?
4 Answers
I think the confusion stems from that second link you mentioned. It primarily covers using a S2S VPN as a backup when your ExpressRoute goes down, which might not be aligned with what you're trying to do. As for your first question regarding routing, routers generally prioritize the most specific (or smaller) CIDR block when forwarding decisions are made. You could set up exceptions by defining narrower routes, aligning with your spoke subnet’s routing to ensure they prioritize going to the VPN gateway. Just configure your routes carefully, and it should work as you envision!
You might find this video helpful! It breaks down similar setups and could give you a visual understanding of how to configure things properly: https://youtu.be/SJKXSMcSIVk?si=rM7uFnVgn9ZktZN_
It sounds like you’re right about wanting a VPN tunnel over an ExpressRoute tunnel. Just to clarify, the local network gateway requiring a public IP might seem confusing at first. Essentially, in a private to private setup, you would create an IPsec tunnel without the need for public IPs, as your traffic will be tunneled privately. Just check the steps in Microsoft's docs you mentioned, focusing particularly on the PowerShell steps to run the tunnel as private to private. That should help clear things up!
You're spot on regarding navigating the complexities. Yes, you can set up a VPN tunnel over an ExpressRoute tunnel. Just remember not to configure BGP since you want to keep it pretty straightforward. But since you have an Azure firewall in the hub, make sure that your routing aligns with that too, ensuring traffic flows correctly between the firewall and VPN gateway. And about the public IP, in theory, having a public IP could complicate the overlay concept, so just make sure your VPN gateway setup reflects your design preferences!
Related Questions
How To Get Your Domain Unblocked From Facebook
How To Find A String In a Directory of Files Using Linux