Everest_Aponte
Explorer

Announce networks behind remote peer VPN to Virtual Network Gateway. Azure

Jump to solution

Hello Everybody

I have the following request,

We have an environment on Azure (R80.20 Cluster) and access to On-premises networks through ExpressRoute. We' configuring a tunnel VPN using VTIs with 3rd Party (Cisco). So,  I would like to know if possible to announce the networks behind remote peer VPN, for example (10.236.150.128/27) on my virtual network gateway in order to announce it on the BGP to on-premises networks.  

Thank you so much for your attention and comments

Best regards

Everest

 

0 Kudos
1 Solution

Accepted Solutions
Matthias_Haas
Advisor

Hi Everest,

I am not sure if this is working and I can not test it in my Azure environment as I do not have a ER running, but may be it´s worth trying:

You could add the remote peer network as additional Address space on the VNET, where your Checkpoint GW is  deployed:

Unbenannt.png

This should cause BGP to propagate that network to OnPrem.

In addition you may have to modify your UDRs, so that the remote peer network is actually routed to the Checkpoint GW (you should already have such UDRs I guess)

 

Matthias

 

View solution in original post

3 Replies
Tommy_Forrest
Advisor

Are you aiming to have a IPSEC tunnel across Express Route?

Or are you trying to stand up a tunnel across the internet to your CloudGuard gateways for backup?

Or are you trying to stand up tunnels to your CloudGuard gateways from external internet peers and you need internal resources to go across ER to your CloudGuard gateway and then out to the internet?

0 Kudos
Everest_Aponte
Explorer

Hello Tommy

Thanks for your contact

Basically, We're configuring a Site to Site VPN with a Customer. 

                                                            Site to Site VPN based VTIs

Peer Remote (Customer) ------------INTERNET --------------- Peer CheckPoint on AZURE 

                                                           Enviroment Azure

Peer CheckPoint on AZURE --------------ER-------------- ON-Premises 

 

Network Remote Peer: 10.236.150.128/29 

Network Peer CheckPoint on Azure: 10.236.1.0/24

Network ON Premises: 10.0.0.0/8 

The flow of Traffic: Bidirectional between 10.236.150.128/29 (remote peer network) and 10.0.0.0/8 (OnPremises network) 

 

Yes, This traffic has to go across the Express Route, We need to announce these VPNs networks so that Virtual Gateway.  

Thank you so much

 

Everest

 

 

 

0 Kudos
Matthias_Haas
Advisor

Hi Everest,

I am not sure if this is working and I can not test it in my Azure environment as I do not have a ER running, but may be it´s worth trying:

You could add the remote peer network as additional Address space on the VNET, where your Checkpoint GW is  deployed:

Unbenannt.png

This should cause BGP to propagate that network to OnPrem.

In addition you may have to modify your UDRs, so that the remote peer network is actually routed to the Checkpoint GW (you should already have such UDRs I guess)

 

Matthias

 

View solution in original post