Is Vnet gateway required incase Site-to-Site tunnel from On Prem to Azure is terminated on Firewall

Hi @Nadeem Hussain Joo ,

if I got your environments right you don't need any additional resources to communicate from on-premises to hub and infra01 and infra02.

If the firewall rules are set properly and all the routing information is available in all 4 network environments (on-premises, hub, infra01 and infra02) it should work.

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards

Andreas Baumgarten

Hi Nadeem

Yes as per MS and best practice in a hub-and-spoke network architecture, gateway transit allows spoke virtual networks to share the VPN gateway in the hub, instead of deploying VPN gateways in every spoke virtual network. Routes to the gateway-connected virtual networks or on-premises networks propagate to the routing tables for the peered virtual networks using gateway transit.

I will suggest you to review the VPN GW requirements and why it is used to make a decision, as scenario and requirements differ so best place to start - https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways

Hope this helps.

JS

==

Please Accept the answer if the information helped you. This will help us and others in the community as well.

Hi @Nadeem Hussain Joo,

Thank you for reaching out on Microsoft Q&A forum.

I understand that you're asking whether a VPN Gateway or Route Server is required if a Site-to-Site VPN tunnel from your on-premises environment is terminated on a FortiGate Next-Generation Firewall deployed in the Hub VNet (within the Network subscription), and you are using VNet peering to connect spoke VNets in Infra01 and Infra02 subscriptions via the Microsoft backbone.

Short Answer: No, you don't need VPN Gateway or Route Server for basic hub-spoke connectivity with VNet peering when the FortiGate handles site-to-site connectivity.

Detailed Analysis:

Your Architecture Design: 

With FortiGate in the hub subscription handling site-to-site connectivity:

• Network (Hub) Subscription: FortiGate firewall + Hub VNet
• Infra01 & Infra02 (Spokes): Individual VNets with VNet peering to hub
• Connectivity: Site-to-site VPN terminated on FortiGate
• Inter-VNet Traffic: Hub-spoke via Microsoft backbone (VNet peering)

VPN Gateway is NOT Required because:

• FortiGate NVA handles the site-to-site VPN termination
• VPN Gateway would be redundant since FortiGate provides VPN connectivity
• You're using VNet peering for spoke-to-hub communication, not gateway transit
• FortiGate can handle both security and routing functions

Route Server is NOT Required for basic setup because:

• VNet peering handles spoke-to-hub-to-spoke routing automatically
• Route Server is primarily needed for dynamic BGP route advertisement between NVAs and Azure SDN
• Your internal VNet-to-VNet traffic flows through Microsoft backbone via peering

What You DO Need

1. User Defined Routes (UDRs)

Create UDRs on spoke subnets to direct traffic appropriately:

Spoke subnet route table:- On-premises prefixes → FortiGate internal IP (next hop)- Internet traffic (0.0.0.0/0) → FortiGate internal IP (if centralized internet egress required)

For reference: Azure virtual network traffic routing | Microsoft Learn

2. VNet Peering Configuration

Configure peering between hub and spokes:

• Hub-to-Spoke peering: Allow forwarded traffic = Enabled
• Spoke-to-Hub peering: Allow forwarded traffic = Enabled
• Use remote virtual network gateway = Disabled (since no VPN gateway)

For reference: Azure Virtual Network Peering | Microsoft Learn

3. FortiGate Configuration

• Site-to-site VPN configuration for on-premises connectivity
• Firewall policies for inter-VNet and on-premises traffic
• Static routes or BGP (if needed) for on-premises prefixes
• Enable IP forwarding on FortiGate NICs
• Configure the routes within the FortiGate firewall to ensure traffic flows correctly between on-premises, hub, and spoke VNets

For reference: Deploy Highly Available NVAs - Azure Architecture Center | Microsoft Learn

Traffic Flow Examples:

1.Spoke-to-On-premises:

Infra01 VM → UDR → FortiGate (Hub) → Site-to-site VPN → On-premises

2.On-premises-to-Spoke:

On-premises → Site-to-site VPN → FortiGate → Hub VNet → VNet Peering → Spoke VNet

Recommended Implementation

For your current requirements:

• Deploy FortiGate in hub subscription with two NICs (external + internal)
• Enable IP forwarding on FortiGate NICs
• Configure VNet peering between hub and spokes with forwarded traffic enabled
• Create UDRs on spoke subnets directing on-premises traffic to FortiGate
• Configure internal FortiGate routes to forward traffic appropriately
• Configure site-to-site VPN on FortiGate to on-premises
• Leave spoke-to-spoke traffic to flow naturally via VNet peering (Microsoft backbone)

This design provides:

• Centralized security via FortiGate
• Site-to-site connectivity to on-premises
• High-performance spoke-to-spoke via Microsoft backbone
• Simplified management

Kindly let us know if the above helps or you need further assistance on this issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.