Blog ENG - MS Azure - Post 7 2024
When connecting your Azure virtual network to your on-premises network using ExpressRoute, the first step is to create a virtual network gateway. This gateway serves two primary purposes: exchanging IP routes between the networks and routing network traffic.
Types of Virtual Network Gateways
There are two types of virtual network gateways:
- VPN Gateway: This gateway type is used to send encrypted traffic across the public Internet. It is also referred to as a VPN gateway. VPN gateways support Site-to-Site, Point-to-Site, and VNet-to-VNet connections.
- ExpressRoute Gateway: This gateway type is used to send network traffic over a private connection. It is also referred to as an ExpressRoute gateway and is specifically used when configuring ExpressRoute.
Each virtual network can have only one virtual network gateway per gateway type.
Selecting the Gateway SKU
When creating a virtual network gateway, you need to specify the gateway SKU. Higher gateway SKUs allocate more CPUs and network bandwidth to the gateway, supporting higher network throughput. The available SKUs for ExpressRoute virtual network gateways are:
- ERGwScale (Preview)
- Standard
- HighPerformance
- UltraPerformance
- ErGw1Az
- ErGw2Az
- ErGw3Az
Upgrading Your Gateway
If you need to upgrade your gateway to a higher capacity SKU, you can use the Seamless Gateway Migration tool available in the Azure portal or PowerShell. Supported upgrades include:
- Non-Az enabled SKU on Basic IP to Non-Az enabled SKU on Standard IP.
- Non-Az enabled SKU on Basic IP to Az-enabled SKU on Standard IP.
- Non-Az enabled SKU on Standard IP to Az-enabled SKU on Standard IP.
For all other downgrade scenarios, you need to delete and recreate the gateway, which incurs downtime.
Creating the Gateway Subnet
Before creating an ExpressRoute gateway, you must create a gateway subnet. This subnet contains the IP addresses used by the virtual network gateway VMs and services. When creating the virtual network gateway, the gateway VMs are deployed to this subnet and configured with the required ExpressRoute gateway settings.
Important Considerations for Gateway Subnet
- The gateway subnet must be named ‘GatewaySubnet’ to function properly.
- Do not deploy anything else into the gateway subnet.
- User-defined routes with a 0.0.0.0/0 destination and NSGs on the GatewaySubnet are not supported.
- BGP route propagation should be set to “Enabled” on the GatewaySubnet to ensure the gateway’s availability.
Planning Your Gateway Subnet Size
When planning your gateway subnet size, consider the configuration you plan to create. For example, the ExpressRoute/VPN Gateway coexist configuration requires a larger gateway subnet than most other configurations. Ensure your gateway subnet contains enough IP addresses to accommodate possible future configurations.
- Recommended Subnet Size: /27 or larger (/27, /26, etc.).
- For 16 ExpressRoute Circuits: /26 or larger.
- For Dual Stack Gateway Subnet: Use an IPv6 range of /64 or larger.
Additional Recommendations
- Avoid deploying Azure DNS Private Resolver into a virtual network with an ExpressRoute virtual network gateway and setting wildcard rules to direct all name resolution to a specific DNS server, as this can cause management connectivity issues.
- Ensure that user-defined routes do not overlap with the Gateway subnet range or the gateway public IP range to avoid affecting diagnostics, data path, and control path.