Hey folks! I'm diving into a project that needs to connect remote workers via Azure VPN to access on-prem resources through ExpressRoute. My architecture is fairly straightforward: I have a hub-and-spoke model consisting of one hub and three spokes. The ExpressRoute gateway is located in the hub's gateway subnet, and there's also an Azure Firewall in the hub that manages traffic moving between the spokes and on-premises. I'm looking for advice on the best way to achieve this kind of setup. I've struggled to find helpful information specifically about combining Point-to-Site (P2S) VPN with ExpressRoute—most resources only discuss Site-to-Site (S2S) connections. Any insights would be greatly appreciated!
1 Answer
To redirect some traffic to the VPN instead of ExpressRoute, you'll need to ensure that on the on-premises side, you don't publish those address spaces and set them up in phase 2 of the VPN. Just remember that any routes missing in ExpressRoute should be covered by the VPN to keep things running smoothly. Alternatively, you could utilize a route server, but that can get quite pricey. Just a heads up!
I’m mainly looking for remote users to access certain on-prem resources, like RDP to local machines. I really want to avoid a route server due to cost. Currently, I have two virtual network gateways in the hub (one for ExpressRoute and another for the P2S VPN clients). I'm able to connect to Azure hosts in the spokes, but I can’t see any traffic reaching the on-prem hosts.