How to access resource in Express Route VNET from Azure Web App


Azure Web App is connected to a VNET (VNET1) using Point-To-Site and then there is another VNET (VNET2) with Express route Gateway. Both VNET are in Azure.


Azure Web App should be able to connect resource in VNET with Express route Gateway.

Web App <—P2S —> VNET1 with Route Base GW<— s2s—> VNET2 with Coexisting Gateway & (Express Route), <— —> On-Prem


In Azure, we can connect two VNET’s using VNET Peering & VNET to VNET connectivity. But since we have a Web App connected using Point-To-Site, we need to add transit route which both these options will not allow. So, only way to get this working is having Site-to-Site IPsec tunnel.

We can create Site-to-Site but both gateways should be identical i.e. both gateways can either be Route based (Dynamic) or Policy based (Static). In my case VNET1 is Route based Gateway and VNET2 is Express Route.


So, can this be achieved?

Yes, we can either setup App Service Environment or if the requirement is to stay with multi-tenant App service then we can create Coexisting Gateway in VNET2 and then establish Site-to-Site IPsec connectivity between VNET1 and VNET2.

Here is how we do that!

Existing setup

Web App <—P2S —> VNET1 with Route Base GW

VNET2 with Express Route <— —> On-Prem

First thing we need to do is create Coexisting gateway on VNET2. This can be done using PowerShell. Here is sample


##Create coexistence IPsec Gateway##

$location = “DCLocation

$vnet = Get-AzureRmVirtualNetwork -Name ExpressrouteVNET -ResourceGroupName RGNAME
$gwSubnet = Get-AzureRmVirtualNetworkSubnetConfig -Name “GatewaySubnet” -VirtualNetwork $vnet
$gwIP = New-AzureRmPublicIpAddress -Name “VPNGatewayIP” -ResourceGroupName RGNAME -Location $location -AllocationMethod Dynamic
$gwConfig = New-AzureRmVirtualNetworkGatewayIpConfig -Name “VPNGatewayIpConfig” -SubnetId $gwSubnet.Id -PublicIpAddressId $gwIP.Id
New-AzureRmVirtualNetworkGateway -Name “NAMEFORNEWGW” -ResourceGroupName RGNAME -Location $location -IpConfigurations $gwConfig -GatewayType Vpn -VpnType RouteBased -GatewaySku Standard

##Create Local Network Gateway##

$MyLocalNetworkAddress = @(“”,””) <- Address space of VNET1 & Point-to-Site
$localVpn = New-AzureRmLocalNetworkGateway -Name “LOCALNETWORKGATEWAY” -ResourceGroupName Blogs -Location $location -GatewayIpAddress IPOFVNET1GW -AddressPrefix $MyLocalNetworkAddress


$azureVpn = Get-AzureRmVirtualNetworkGateway -Name “VPNGateway” -ResourceGroupName RGNAME
New-AzureRmVirtualNetworkGatewayConnection -Name “VPNConnection” -ResourceGroupName RGNAME -Location $location -VirtualNetworkGateway1 $azureVpn -LocalNetworkGateway2 $localVpn -ConnectionType IPsec -SharedKey “enteryourpresharedkey”


Once this is done then we can create Site-to-Site IPsec connection between VNET1 Gateway and VNET2 Coexisting Gateway.

For testing connectivity i have documented in my previous blog


Comments (0)

Skip to main content