Azure-docs: Gateway subnet in the spoke Vnet?
According to the text, you create a gateway subnet in the vnet-Spoke. Shouldn't this be in the vnet-hub? This because the vpn Gateways are created in vnet-hub and vnet-onprem and not in vnet-spoke.
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: b54e37aa-a45b-989e-5adf-e0f2212815f4
- Version Independent ID: a957e018-937f-204d-f1f2-a0d094a49c20
- Content: Tutorial: Deploy and configure Azure Firewall in a hybrid network using the Azure portal
- Content Source: articles/firewall/tutorial-hybrid-portal.md
- Service: firewall
- GitHub Login: @vhorne
- Microsoft Alias: victorh
wbargerb
All 4 comments
@wbargerb In this example a S2S VPN is used to connect the Hub VNET with the Spoke VNET, therefore they both need gateway subnets.
It is possible to also use VNET peering to connect the 2 VNETs.
TravisCragg-MSFT
on 18 Sep 2019
What I do not understand is that you create a VPN gateway in the vnet-Hub, which does not contain a gateway subnet yet. It only has the firewall subnet. When you create the VPN gateway it will also create a subnet gateway in the vnet-Hub in my opnion. If you create the gateway subnet upfront for the on-prem and spoke network, why don't you do this for the vnet-hub? Also why is there the need for a gateway subnet in the spoke network when nothing is configured in it?
wbargerb
on 19 Sep 2019
@wbargerb Thanks for the additional info! I looked deeper into this example and you are correct, there are some issues.
1) I was incorrect in my earlier statement. The Hub and Spoke Virtual Networks are not connected Via VPN Gateway, they are peered. This means that the Spoke VNET does not need a VPN Gateway.
2) You do not need to create the GatewaySubnets when deploying a VPN Gateway, but it is helpful, and it is the intent of this article to make them beforehand.
The "GatewaySubnet" should be created in the Hub VNET, and not the Spoke VNET. This is likely an bug with the doc.
I have assigned the issue to the content author to evaluate and update as appropriate.
TravisCragg-MSFT
on 23 Sep 2019
fixed
please-close
vhorne
on 5 Nov 2019
Related issues
renattomachado
·
42Comments
Frankwayne
·
53Comments
tvperez76
·
55Comments
DanijelMalik
·
82Comments
hansmbakker
·
53Comments
Most helpful comment
@wbargerb Thanks for the additional info! I looked deeper into this example and you are correct, there are some issues.
1) I was incorrect in my earlier statement. The Hub and Spoke Virtual Networks are not connected Via VPN Gateway, they are peered. This means that the Spoke VNET does not need a VPN Gateway.
2) You do not need to create the GatewaySubnets when deploying a VPN Gateway, but it is helpful, and it is the intent of this article to make them beforehand.
The "GatewaySubnet" should be created in the Hub VNET, and not the Spoke VNET. This is likely an bug with the doc.
I have assigned the issue to the content author to evaluate and update as appropriate.