Multiple VNet Gateway Transit Configuration: AWS Site-to-Site VPN and Employee Access

Question

Multiple VNet Gateway Transit Configuration: AWS Site-to-Site VPN and Employee Access

Madilyn King 0

I'm configuring a site-to-site VPN connection between AWS and Azure using Azure Virtual Network Gateway. I have the following setup:

A VNet (VNet-A) that is peered with another VNet (VNet-B)
Gateway transit is enabled (checkbox for 'Enable VNet-A to use VNet-B's remote gateway or route server' is checked)
VNet-B already has a Virtual Network Gateway (Virtual Network Gateway)

My questions are:

I'm trying to put a Virtual Network Gateway in VNet-C and peer it, but it won't let me.
If I have a third VNet (VNet-C) that's also peered with VNet-B, can I enable the checkbox for 'Enable VNet-C to use VNet-B's remote gateway or route server' even though we already have this checked for VNet-A to VNet-B? Will this allow resources in both VNet-A and VNet-C to access AWS through the single gateway in VNet-B?

What's the recommended approach to establish connectivity between AWS and all these VNets? Should I use the existing gateway in VNet-B to handle both the AWS connection and our internal employee VPN access? I'm configuring a site-to-site VPN connection between AWS and Azure using Azure Virtual Network Gateway. I have the following setup:

A VNet (VNet-A) that is peered with another VNet (VNet-B)
Gateway transit is enabled (checkbox for 'Enable VNet-A to use VNet-B's remote gateway or route server' is checked)
VNet-B already has a Virtual Network Gateway (VPN Gateway)

My questions are:

I'm trying to put a Virtual Network Gateway in VNet-C and peer it, but it won't let me.
If I have a third VNet (VNet-C) that's also peered with VNet-A, can I enable the checkbox for 'Enable VNet-C to use VNet-A's remote gateway or route server' even though we already have this checked for VNet-A to VNet-B?

What's the recommended approach to establish connectivity between AWS and all these VNets? Should I use the existing gateway in VNet-B to handle both the AWS connection and our internal employee VPN access? I really don't want customers mingled with our personal subscription and VNet-C.

Praveen Bandaru 2,835 Reputation points Microsoft External Staff

2025-04-14T18:14:41.08+00:00
Hello Madilyn King

I understand that you want to set up a connectivity from AWS to Azure, and you have three VNETs in Azure.

It is not necessary to create a separate VPN gateway on VNET C. Instead, you can peer VNET C with VNET B and enable the use of VNET B's remote gateway on VNET C during the VNET peering process.

Here, multiple Spokes can connect to the HUB VNET single gateway, allowing all the spokes resources to communicate with your AWS Gateway over a Site-to-Site VPN connection.

Check the below document for more understanding:

Secured hub and spoke network

VPN gateway transit for virtual network peering

I really don't want customers mingled with our personal subscription and VNet-C.

Since you want to establish connectivity between AWS and multiple Azure VNets while keeping customer traffic separate from your personal subscription and VNet-C, here’s a recommended approach:

Option 1: Use Separate Gateways

VNet-B handles employee VPN access while maintain the existing gateway in VNet-B exclusively for internal VPN connections (employees).

Deploy a separate VPN Gateway in a different VNet (VNet-A or another dedicated VNet) for AWS connectivity.

Use VNet Peering between the VNets that need access to AWS, ensuring controlled routing.

Option 2:

You can leverage Azure Virtual WAN allows centralized network connectivity, simplifying management of multi-cloud connectivity.

You can establish secured connections to AWS, while isolating customer traffic from internal subscriptions

Hope the above answer helps! Please let us know do you have any further queries.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members
Praveen Bandaru 2,835 Reputation points Microsoft External Staff

2025-04-15T10:57:11.1133333+00:00

Hello Madilyn King

Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.

Hope the above answer helps! Please let us know do you have any further queries.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Praveen Bandaru 2,835 Reputation points Microsoft External Staff

2025-04-15T18:25:11.41+00:00

Hello Madilyn King

Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.

Hope the above answer helps! Please let us know do you have any further queries.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Praveen Bandaru 2,835 Reputation points Microsoft External Staff

2025-04-16T16:54:12.66+00:00

Hello Madilyn King

Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.

Hope the above answer helps! Please let us know do you have any further queries.

Please do consider to "Accept the answer "and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Madilyn King 0 Reputation points

2025-04-16T19:40:18.8333333+00:00

Hi Praveen,

I can't use Option 1 because I need both the VNet with employees point-to-site and the other VNet with customers site-to-site, and it doesn't let me peer two VNets to the main VNet and check Enable VNet to use the remote gateway or route server for both.
Praveen Bandaru 2,835 Reputation points Microsoft External Staff

2025-04-16T20:06:30.0766667+00:00

Hello Madilyn King

Thank you for your response. Could you please share the error message so we can investigate the issue further?

Additionally, could you provide the point-to-site address pools? In the meantime, please also share the site-to-site address ranges connected with the on-premises network. Kindly check whether there is any overlap between these ranges.

I really don't want customers mingled with our personal subscription and VNet-C.

Could you please elaborate on this point for better understanding?
Venkat V 1,800 Reputation points Microsoft External Staff

2025-04-18T04:53:48.4266667+00:00

Hi @Madilyn King

I just wanted to follow up and see if you had a chance to review my response to your question. Please let us know if it was helpful, and feel free to reach out if you have any further queries.

1 answer

Your answer

Praveen Bandaru 2,835 Reputation points Microsoft External Staff

2025-04-14T18:14:41.08+00:00

Hello Madilyn King

I understand that you want to set up a connectivity from AWS to Azure, and you have three VNETs in Azure.

It is not necessary to create a separate VPN gateway on VNET C. Instead, you can peer VNET C with VNET B and enable the use of VNET B's remote gateway on VNET C during the VNET peering process.

Here, multiple Spokes can connect to the HUB VNET single gateway, allowing all the spokes resources to communicate with your AWS Gateway over a Site-to-Site VPN connection.

Check the below document for more understanding:

Secured hub and spoke network

VPN gateway transit for virtual network peering

I really don't want customers mingled with our personal subscription and VNet-C.

Since you want to establish connectivity between AWS and multiple Azure VNets while keeping customer traffic separate from your personal subscription and VNet-C, here’s a recommended approach:

Option 1: Use Separate Gateways

VNet-B handles employee VPN access while maintain the existing gateway in VNet-B exclusively for internal VPN connections (employees).

Deploy a separate VPN Gateway in a different VNet (VNet-A or another dedicated VNet) for AWS connectivity.

Use VNet Peering between the VNets that need access to AWS, ensuring controlled routing.

Option 2:

You can leverage Azure Virtual WAN allows centralized network connectivity, simplifying management of multi-cloud connectivity.

You can establish secured connections to AWS, while isolating customer traffic from internal subscriptions

Hope the above answer helps! Please let us know do you have any further queries.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members
Praveen Bandaru 2,835 Reputation points Microsoft External Staff

2025-04-15T10:57:11.1133333+00:00

Hello Madilyn King

Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.

Hope the above answer helps! Please let us know do you have any further queries.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Praveen Bandaru 2,835 Reputation points Microsoft External Staff

2025-04-15T18:25:11.41+00:00

Hello Madilyn King

Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.

Hope the above answer helps! Please let us know do you have any further queries.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Praveen Bandaru 2,835 Reputation points Microsoft External Staff

2025-04-16T16:54:12.66+00:00

Hello Madilyn King

Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.

Hope the above answer helps! Please let us know do you have any further queries.

Please do consider to "Accept the answer "and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Madilyn King 0 Reputation points

2025-04-16T19:40:18.8333333+00:00

Hi Praveen,

I can't use Option 1 because I need both the VNet with employees point-to-site and the other VNet with customers site-to-site, and it doesn't let me peer two VNets to the main VNet and check Enable VNet to use the remote gateway or route server for both.
Praveen Bandaru 2,835 Reputation points Microsoft External Staff

2025-04-16T20:06:30.0766667+00:00

Hello Madilyn King

Thank you for your response. Could you please share the error message so we can investigate the issue further?

Additionally, could you provide the point-to-site address pools? In the meantime, please also share the site-to-site address ranges connected with the on-premises network. Kindly check whether there is any overlap between these ranges.

I really don't want customers mingled with our personal subscription and VNet-C.

Could you please elaborate on this point for better understanding?
Venkat V 1,800 Reputation points Microsoft External Staff

2025-04-18T04:53:48.4266667+00:00

Hi @Madilyn King

I just wanted to follow up and see if you had a chance to review my response to your question. Please let us know if it was helpful, and feel free to reach out if you have any further queries.

Answer 1

Hi @Madilyn King

We recommend a Hub-and-Spoke architecture to enable all three VNets (VNetA, VNetB, and VNetC) to connect to the On-Premises network. Due to Azure’s gateway transit limitation (only one peered VNet can use a remote gateway), a shared gateway across all VNets is not feasible. Consider either of the following methods:

Method 1:

Peer VNetC with VNetB

Create S2S VPNs from VNetA and VNetB to On-Prem

VNetC reaches On-Prem via VNetB's gateway

Method 2:

Peer VNetC with VNetA

Create S2S VPNs from VNetA and VNetB to On-Prem

VNetC reaches On-Prem via VNetA's gateway

These approaches provide full connectivity to On-Prem and maintain network isolation for customer-facing workloads in VNetC.

I hope this helps to resolve your issue. Please feel free to ask any questions if the solution provided isn't helpful.

Please provide your valuable feedback on the thread by clicking Accept the answer and upvoting wherever the information was helpful, as this can be beneficial to other community members

Share via

Multiple VNet Gateway Transit Configuration: AWS Site-to-Site VPN and Employee Access

1 answer

Your answer