Share via

Options to scale beyond 30 S2S connections on Azure VPN Gateway (Gen1) in Hub VNet with Firewall

Paul 0 Reputation points
2025-10-21T16:54:44.3366667+00:00

I have a VPN Gateway (Gen1 - VpnGw1) deployed in my Hub VNet, which also hosts Azure Firewall and Azure WAF. I will soon reach the 30 Site-to-Site (S2S) connection limit, and as per documentation, the maximum supported on Gen1 is 30. Since this is Gen1, there are no SKUs I can upgrade to that allow more than 30 connections.

Given this situation, I see the following options:

Option 1:

Delete the existing VPN Gateway and create a new Gen2 gateway (e.g., VpnGw4).

  • This will entail significant downtime because each of the 30 existing connections involves different stakeholders, and coordinating all at once is not feasible.

Option 2:

Move to Azure Virtual WAN, which is Microsoft’s recommended approach for large-scale connectivity.

  • However, this requires a major architecture change, and I do not have a test environment to validate this before production.

Option 3:

Create a new Spoke VNet and deploy a new VPN Gateway there.

  • Establish a Site-to-Site connection between this new VNG and the Hub VNG (this would be the 30th connection on the Hub VNG).
  • For new connections (31 onward), configure them on the new VNG.
  • Important: I will not peer this new VNet with the Hub VNet; only the Site-to-Site connection will exist.
  • My goal is to reduce disruption and avoid deleting the existing gateway.

Questions:

  1. Is Option 3 technically feasible? If yes, what configurations (routing, gateway transit, firewall inspection) are required to make this work?
  2. If Option 3 is not recommended, is there an Option 4 that minimizes downtime without a full Virtual WAN migration?
  3. Any best practices for handling PSKs for 30+ connections securely during such a migration?
  4. How do I ensure Azure Firewall continues to inspect traffic if I use a second VNet and Site-to-Site connection?

Current setup:

  • Hub VNet: VPN Gateway (Gen1), Azure Firewall, Azure WAF
  • Spoke VNet: AD, Apps, AVD
  • 30+ on-prem sites connected via S2S tunnels
Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ravi Varma Mudduluru 1,790 Reputation points Microsoft External Staff Moderator
    2025-10-21T21:59:04.3833333+00:00

    Hello @Paul

    Thanks for reaching out to Microsoft Q&A.

    I understand that you're in a bit of a bind with reaching the limit of 30 Site-to-Site (S2S) connections on your Gen1 Azure VPN Gateway.

    Creating a new Spoke VNet and deploying a new VPN Gateway (VNG) there is technically feasible. You would then establish a Site-to-Site connection between the new VNG and your existing Hub VNG. This approach allows you to maintain your current connections while accommodating new ones beyond the 30 limits.

    Configurations Needed:

    1. Routing: Configure appropriate routing by setting up User Defined Routes (UDRs) on workload subnets in the new Spoke VNet to direct traffic through the Hub VNet for inspection, and enable BGP on both gateways for dynamic route propagation or maintain static routes if BGP is not supported.
    2. Gateway Transit: Ensure that gateway transit is enabled to allow traffic to flow through the gateway in the Spoke VNet.
    3. Firewall Inspection: Configure your Azure Firewall rules to include the new subnet in the Spoke so that traffic can be inspected appropriately.
      • Apply UDRs in the Spoke pointing to the Hub Firewall as the next hop.
      • Ensure the Hub Firewall subnet is reachable via the VPN tunnel.

    Alternatively, use Azure Firewall Manager for centralized policy enforcement across multiple VNets.

    Option 3 is recommended as a temporary workaround. For long-term scalability and simplified management, Azure Virtual WAN is strongly recommended.

    If your goal is to minimize downtime without migrating to Virtual WAN, you should proceed with upgrading the VPN Gateway SKU. Option 1 is the recommended approach.

    Best Practices for PSKs:

    • Use Azure Key Vault to store your Pre-Shared Keys (PSKs) securely.
    • Regularly rotate PSKs to minimize the risk of exposure.
    • Consider automating the update and dissemination of the PSKs to connected sites to enhance security during migration.

    To ensure Azure Firewall inspects traffic coming through the new VNet:

    • Make sure your route definitions in the Azure Firewall include the addresses/subnets of both your Hub and Spoke VNets.
    • Create specific rules that manage traffic from the Spoke VNet to the resources in the Hub to prevent any traffic from bypassing inspection.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.