ExpressRoute Coexist with VPN tunnel built with NVA for peered Vnets

GuardNet on Wed, 01 Mar 2017 23:42:02

we have not set up expressroute yet due to SP delay.

we are using NVA  ( not Azure gateway, it is virtual checkpoint) to build VPN tunnel between Azure and our on-prem network.

All the Vnet is currently peered and that NVA functions as route gateway for all Vnet for :

a) bi-directional traffic between on-prem and Azure

b) traffic from Azure to internet ( inspection purpose )


1) when the expressroute is ready, The current VPN  tunnel  can be kept as back-up of ExpressRoute?  for a) type of traffic

AND simultaneously

2) That VPN tunnel keep working as gateway & inspection point for b) type of traffic.




Loydon Mendonca on Thu, 02 Mar 2017 14:00:34

Which NVA are you using? When you say VPN tunneling using the NVA to on premise are you referring to forced tunneling or an actual site to site using your NVA?

GuardNet on Thu, 02 Mar 2017 17:44:22

site-to-site vpn between our on-prem firewall and NVA ( virtual checkpoint)

Loydon Mendonca on Thu, 02 Mar 2017 17:59:34

The NVA based on-prem connection cannot be an automatic failover, it depends on the UDR and the type of Expressroute failure. If all BGP routes are withdrawn due to Expressroute failure then traffic could take the NVA path if UDRs are configured correctly.

GuardNet on Thu, 02 Mar 2017 18:16:42

can we also use that site-to-site vpn for passing  traffic from Azure to Internet? on-premise <--> Azure will use Expressroute.

Loydon Mendonca on Thu, 02 Mar 2017 18:27:54

Expressroute and S2S can co-exist. Refer to Configure ExpressRoute and Site-to-Site coexisting connections for the classic deployment model.

GuardNet on Thu, 02 Mar 2017 18:39:17

I understand they could co-exist. My question is  when S2S functions as backup of ER, S2S can still carry other traffic OR just work as standby for ER failure.

The document seems like S2S can only work passively as standby for ER for co-exist scenarios.

Please confirm.

Loydon Mendonca on Thu, 02 Mar 2017 18:55:21

Yes you got that right. So basically since your gateway will be connected to the same local network, S2S can only be used as a failover but not work together with Expressroute referencing the same on premise local network.