Forum Discussion
ExpressRoute with IPsec tunnel to on-prem
Is it possible to configure an IPsec tunnel over ExpressRoute with NVAs? The ExpressRoute is configured for Azure Private Peering. Is there any kind of list of supported NVAs for this scenario?
So far we've tried vWAN with ExpressRoute to configure the IPsec and it works but we can see a significant impact on billing due to vWAN I guess.
Also if you can think of any alternatives to setup ExpressRoute (with Az Private Peering) with IPsec tunnel then please share. So far for me the available options are vWAN and NVAs - at least according to this thread https://docs.microsoft.com/en-us/answers/questions/50909/configure-ipsec-encryption-over-express-route.html
- Out of curiosity, what was your use case to enable encryption over ExpressRoute?
Thx I see no obstacle to use a VM as IPSec gateway. As long as you peer the VNET it is connected to with a vHUB that has connectivity to your ER Gateway the routing should be fine to establish IKE and IPSec with your on-prem IPSec device.
I have however no experience how to build a network and routing design that forces the desired traffic to / from on-prem through this NVA. I have seen a MSFT article that describes a hub VNET carrying the NVA, peered northbound to the vHUB and southbound to the spoke VNETs.
As for the product, I personally like pfsense a lot since it has strong features and is pretty stable.
cheers
Michi
