allow multi-site VPN's using static gateways
being restricted to only one VPN when using a static gateway is extremely limiting. This means that once a static VPN has been created between a VNet and a site (i.e. our office) we have no way of connecting the Azure Vnet to another VNet using a different VPN i.e. no multi-site VPN feature if a static gateway has to be used for ANY VPN. This stops any other connectivity into the VNet apart from enpoints and ACL's which is both less secure and messy to manage.
This work is completed from our side. As long as your VPN devices support IKEv2, you can leverage Azure route-based VPN with custom policy (UsePolicyBasedTrafficSelectors) to connect to your policy-based VPN firewalls. Please refer to this link for more details:
Jeff Pigott commented
looks like this is coming soon....
Ryan Richmond commented
I see that this is "Planned". Any idea when implementation will be completed? My organization has currently halted additional migration to Azure because of this limitation. Thanks!
I am also posting this as we have stopped any planned migrations to Azure since we realised you can only have one policy based VPN. We need to have 30 policy based VPNs for our requirements.
Posting as I'm just realizing this isn't already possible. Hopefully its up within a month...
Watchguard support would be very much appreciated.
Requiring IKEv2 works just fine for us! We can get our ASAs to a code base that supports it easily enough. Thanks!! We are really looking forward to this feature!!
Lawrence Dwight commented
This has been Under Review for 2.5 yrs. Any chance of an update?
Samir FARHAT (MVP) commented
Matt Chance, do not forget VNET peeing costs, gateways costs, management costs... VNET peering i not a replacement for subnets under the same VNET
Matt Chance commented
Not ideal, but VNET-peering is an option that would allow the use of multiple static VPN gateways....each VPN gateway would have a cost associated, but perhaps cheaper than additional on-premise infrastructure or Azure hosted firewalls.
Cisco Meraki MX100. It supports ike v1 but not ike v2.
Cisco ASA 5505, Cisco ASA 5506-X, Cisco Meraki MX64
Daniel Etten commented
Please add this for Cisco ASA
Aaron Marks commented
James Gesbeck commented
The specific VPN brand/make is the Cisco ASA.
No hope to get this fixed right. Or even an official workaround from microsoft..
Can we get an update on this please?
Azure team please sort out Multi S2S VPN restriction for ASA devices, no one would spend or change their devices just for the sake of VPN. ASA Devices are widely used all over the world.