Share via

ExpressRoute private peering - site-to-site VPN overlay

Joshua Musiyarira 0 Reputation points
2025-07-16T22:58:54.9566667+00:00

I have an upcoming task:

  • Design and configure a site-to-site vpn over an expressRoute circuit private peering, and have some questions around routing.
  • This has been driven due to regulation that enforces encryption of PII data in transit.
  • The intention is to use a VPN gateway with private IPs enabled and no BGP config. On-premises vpn termination points will be x2 fortigate firewalls deployed in HA.

I've read through MSFT docs:

High level arhcitecture of the existing environment

  • Hub and spoke network topology
  • Existing azure firewall in the hub VNet, controll ingress/egress traffic flow
  • Spoke subnets have routes that set the next hop IP to the internal IP address of the Azure firewall
  • ExpressRoute circuit provisioned and advertising hub VNet and peered spoke VNet cidr ranges to on-premises via BGP

Questions

  • The documentation alludes to advertising specific CIDR ranges over the s2s VPN, while larger Azure CIDRs traverse the expressRoute circuit. However, what is the routing approach?
    • My thought process on ensuring Azure prefers specific CIDR ranges was that, a spoke subnet would: have a route to the azure firewall > the firewall would the offload packets to the gateway subnet > the gateway subnet would then have a next hop ip of the VPN gateway > the VPN gateway forwards traffic to on-premises FortiGate vpns.
  • Local network gateways require a public IP, but surely that would negate the point of an overlay VPN. The intention is for traffic to traverse the expressRoute circuit in an encrypted tunnel. Would local network gateways support defining the fortigate VPN endpoint IP, where you would typically set an on-premises public IP?

Apologies if my thought process seems all over the place! Seem to have hit a wall when it comes to understanding the design from a high-level and route preference!

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. G Sree Vidya 4,005 Reputation points Microsoft External Staff Moderator
    2025-07-17T00:35:08.93+00:00

    Hello Joshua Musiyarira

    Thank you for the detailed explanation. I have provided my response based on your question to help clarify things.

    1.Your thought process is on the right track, but let’s clarify the routing approach based on Microsoft’s documentation for Configure a Site-to-Site VPN connection over ExpressRoute private peering and the hub-and-spoke topology described in Hub-and-spoke network topology in Azure.

    1. In each spoke VNet, configure a route table with user-defined routes (UDRs) that direct specific CIDR ranges to the internal IP of the Azure Firewall. This ensures all traffic is inspected centrally.
    2. Firewall to Gateway Subnet, in the hub VNet, configure a route table on the Gateway Subnet to forward those specific CIDR ranges to the internal IP of the VPN Gateway. This allows the firewall to offload selected traffic to the VPN Gateway.
    3. Ensure the Azure Firewall allows traffic to flow to the VPN Gateway. You may need to update firewall rules to permit traffic for the specific CIDR ranges that should go over the VPN.
    4. This setup ensures that traffic for sensitive CIDR ranges is routed through the VPN Gateway for encryption, while all other traffic continues to use the ExpressRoute private peering path.

    This approach ensures that traffic for specific CIDR ranges is routed through the VPN Gateway for encryption, while other traffic uses the ExpressRoute private peering directly, as described in the documentation.

    Azure doesn’t use BGP in your case, so you control routing using UDRs. To make Azure prefer the VPN path for specific traffic:

    • You advertise more specific IP ranges (e.g. 10.0.1.0/24) over the VPN.
    • You advertise broader ranges (e.g. 10.0.0.0/16) over ExpressRoute.

    Because routing always prefers the most specific match, traffic to 10.0.1.0/24 will go through the VPN tunnel, while everything else uses ExpressRoute.

    2.Yes, your understanding was correct normally, LNGs require a public IP because the VPN tunnel is built over the public Internet. But in this case, the VPN tunnel is built over the private ExpressRoute circuit, not the Internet.

    Since both the Azure VPN Gateway and the on-premises FortiGate firewalls are reachable via private IPs over ExpressRoute, you can use RFC1918 addresses for both ends of the tunnel.

    you can configure the LNG with a private IP address when using ExpressRoute private peering. This is explicitly supported by Microsoft:

    “You can configure a Site-to-Site VPN to a virtual network gateway over an ExpressRoute private peering using an RFC 1918 IP address.” which was doc by https://learn.microsoft.com/en-us/azure/vpn-gateway/site-to-site-vpn-private-peering

    This means that the FortiGate firewalls can use private IPs as VPN endpoints and Azure VPN Gateway must have private IPs enabled.

    • The VPN tunnel is established entirely over the ExpressRoute private circuit, not the public Internet.
    • This allows you to encrypt traffic over ExpressRoute, satisfying regulatory requirements for PII in transit.

    I hope this helps! If these answers your query, do click the "Upvote" and click "Accept the answer" of which might be beneficial to other community members reading this thread.

    If the above is unclear or you are unsure about something, please add a comment below.

    Thank you

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.