Merge pull request #232340 from asudbring/vnet-old-review

PMEds28 · web-flow · commit 429ef569d7e8 · 2023-03-28T10:12:23.000+01:00
Review of virtual network article for back end connectivity features - acrolinx fixes and image fixes
diff --git a/articles/networking/connectivty-interoperability-configuration.md b/articles/networking/connectivty-interoperability-configuration.md
@@ -1,52 +1,44 @@
 ---
-title: 'Interoperability in Azure back-end connectivity features: Configuration details | Microsoft Docs'
+title: Interoperability in Azure back-end connectivity features - Configuration details
 description: This article describes configuration details for the test setup you can use to analyze interoperability between ExpressRoute, a site-to-site VPN, and virtual network peering in Azure.
-documentationcenter: na
-services: networking
-author: rambk
-manager: tracsman
-
+author: asudbring
 ms.service: virtual-network
 ms.topic: article
-ms.workload: infrastructure-services
-ms.date: 10/18/2018
-ms.author: rambala
-
+ms.date: 03/27/2023
+ms.author: allensu
 ---
 
-# Interoperability in Azure back-end connectivity features: Test configuration details
-
-This article describes the configuration details of the [test setup][Setup]. The test setup helps you analyze how Azure networking services interoperate at the control plane level and data plane level.
+# Interoperability in Azure back-end connectivity features - Test configuration details
 
-## Spoke VNet connectivity by using VNet peering
+This article describes the configuration details of the [test setup](./connectivty-interoperability-preface.md). The test setup helps you analyze how Azure networking services interoperate at the control plane level and data plane level.
 
-The following figure shows the Azure Virtual Network peering details of a spoke virtual network (VNet). To learn how to set up peering between two VNets, see [Manage VNet peering][VNet-Config]. If you want the spoke VNet to use the gateways that are connected to the hub VNet, select **Use remote gateways**.
+## Spoke virtual network connectivity by using virtual network peering
 
-[![1]][1]
+The following figure shows the Azure Virtual Network peering details of a spoke virtual network. For more information about peering between two virtual networks, see [Manage virtual network peering](../virtual-network/virtual-network-manage-peering.md). If you want the spoke virtual network to use the gateways that are connected to the hub virtual network, select **Use remote gateways**.
 
-The following figure shows the VNet peering details of the hub VNet. If you want the hub VNet to permit the spoke VNet to use the hub's gateways, select **Allow gateway transit**.
+:::image type="content" source="./media/backend-interoperability/SpokeVNet_peering.png" alt-text="Screenshot of spoke virtual network's peering.":::
 
-[![2]][2]
+The following figure shows the virtual network peering details of the hub virtual network. If you want the hub virtual network to permit the spoke virtual network to use the hub's gateways, select **Allow gateway transit**.
 
-## Branch VNet connectivity by using a site-to-site VPN
+:::image type="content" source="./media/backend-interoperability/HubVNet-peering.png" alt-text="Screenshot of Hub virtual network's peering.":::
 
-Set up site-to-site VPN connectivity between the hub and branch VNets by using VPN gateways in Azure VPN Gateway. By default, VPN gateways and Azure ExpressRoute gateways use a private autonomous system number (ASN) value of **65515**. You can change the ASN value in VPN Gateway. In the test setup, the ASN value of the branch VNet VPN gateway is changed to **65516** to support eBGP routing between the hub and branch VNets.
+## Branch virtual network connectivity by using a site-to-site VPN
 
+Set up site-to-site VPN connectivity between the hub and branch virtual networks by using VPN gateways in Azure VPN Gateway. By default, VPN gateways and Azure ExpressRoute gateways use a private autonomous system number (ASN) value of **65515**. You can change the ASN value in VPN Gateway. In the test setup, the ASN value of the branch virtual network VPN gateway is changed to **65516** to support eBGP routing between the hub and branch virtual networks.
 
-[![3]][3]
-
+:::image type="content" source="./media/backend-interoperability/BranchVNet-VPNGW.png" alt-text="Screenshot of VPN Gateway configuration of a branch virtual network.":::
 
 ## On-premises Location 1 connectivity by using ExpressRoute and a site-to-site VPN
 
 ### ExpressRoute 1 configuration details
 
 The following figure shows the Azure Region 1 ExpressRoute circuit configuration toward on-premises Location 1 customer edge (CE) routers:
 
-[![4]][4]
+:::image type="content" source="./media/backend-interoperability/ExR1.png" alt-text="Screenshot of ExpressRoute 1 configuration.":::
 
-The following figure shows the connection configuration between the ExpressRoute 1 circuit and the hub VNet:
+The following figure shows the connection configuration between the ExpressRoute 1 circuit and the hub virtual network:
 
-[![5]][5]
+:::image type="content" source="./media/backend-interoperability/ExR1-Hub-Connection.png" alt-text="Screenshot of connection configuration of ExpressRoute 1 to a hub virtual network Express Route gateway.":::
 
 The following list shows the primary CE router configuration for ExpressRoute private peering connectivity. (Cisco ASR1000 routers are used as CE routers in the test setup.) When site-to-site VPN and ExpressRoute circuits are configured in parallel to connect an on-premises network to Azure, Azure prioritizes the ExpressRoute circuit by default. To avoid asymmetrical routing, the on-premises network also should prioritize ExpressRoute connectivity over site-to-site VPN connectivity. The following configuration establishes prioritization by using the BGP **local-preference** attribute:
 
@@ -151,78 +143,56 @@ ip route vrf 30 10.10.30.254 255.255.255.255 Tunnel30
 
 ## On-premises Location 2 connectivity by using ExpressRoute
 
-A second ExpressRoute circuit, in closer proximity to on-premises Location 2, connects on-premises Location 2 to the hub VNet. The following figure shows the second ExpressRoute configuration:
+A second ExpressRoute circuit, in closer proximity to on-premises Location 2, connects on-premises Location 2 to the hub virtual network. The following figure shows the second ExpressRoute configuration:
 
-[![6]][6]
+:::image type="content" source="./media/backend-interoperability/ExR2.png" alt-text="Screenshot of ExpressRoute 2 configuration.":::
 
-The following figure shows the connection configuration between the second ExpressRoute circuit and the hub VNet:
+The following figure shows the connection configuration between the second ExpressRoute circuit and the hub virtual network:
 
-[![7]][7]
+:::image type="content" source="./media/backend-interoperability/ExR2-Hub-Connection.png" alt-text="Screenshot of connection configuration of ExpressRoute 2 to a hub virtual network ExR gateway.":::
 
-ExpressRoute 1 connects both the hub VNet and on-premises Location 1 to a remote VNet in a different Azure region:
+ExpressRoute 1 connects both the hub virtual network and on-premises Location 1 to a remote virtual network in a different Azure region:
 
-[![8]][8]
+:::image type="content" source="./media/backend-interoperability/ExR2-Remote-Connection.png" alt-text="Screenshot of connection configuration of ExpressRoute 2 to a remote virtual network ExR gateway.":::
 
 ## ExpressRoute and site-to-site VPN connectivity in tandem
 
 ###  Site-to-site VPN over ExpressRoute
 
-You can configure a site-to-site VPN by using ExpressRoute Microsoft peering to privately exchange data between your on-premises network and your Azure VNets. With this configuration, you can exchange data with confidentiality, authenticity, and integrity. The data exchange also is anti-replay. For more information about how to configure a site-to-site IPsec VPN in tunnel mode by using ExpressRoute Microsoft peering, see [Site-to-site VPN over ExpressRoute Microsoft peering][S2S-Over-ExR]. 
+You can configure a site-to-site VPN by using ExpressRoute Microsoft peering to privately exchange data between your on-premises network and your Azure virtual networks. With this configuration, you can exchange data with confidentiality, authenticity, and integrity. The data exchange also is anti-replay. For more information about how to configure a site-to-site IPsec VPN in tunnel mode by using ExpressRoute Microsoft peering, see [Site-to-site VPN over ExpressRoute Microsoft peering](../expressroute/site-to-site-vpn-over-microsoft-peering.md). 
 
 The primary limitation of configuring a site-to-site VPN that uses Microsoft peering is throughput. Throughput over the IPsec tunnel is limited by the VPN gateway capacity. The VPN gateway throughput is lower than ExpressRoute throughput. In this scenario, using the IPsec tunnel for highly secure traffic and using private peering for all other traffic helps optimize the ExpressRoute bandwidth utilization.
 
 ### Site-to-site VPN as a secure failover path for ExpressRoute
 
 ExpressRoute serves as a redundant circuit pair to ensure high availability. You can configure geo-redundant ExpressRoute connectivity in different Azure regions. Also, as demonstrated in our test setup, within an Azure region, you can use a site-to-site VPN to create a failover path for your ExpressRoute connectivity. When the same prefixes are advertised over both ExpressRoute and a site-to-site VPN, Azure prioritizes ExpressRoute. To avoid asymmetrical routing between ExpressRoute and the site-to-site VPN, on-premises network configuration should also reciprocate by using ExpressRoute connectivity before it uses site-to-site VPN connectivity.
 
-For more information about how to configure coexisting connections for ExpressRoute and a site-to-site VPN, see [ExpressRoute and site-to-site coexistence][ExR-S2S-CoEx].
+For more information about how to configure coexisting connections for ExpressRoute and a site-to-site VPN, see [ExpressRoute and site-to-site coexistence](../expressroute/expressroute-howto-coexist-resource-manager.md).
 
-## Extend back-end connectivity to spoke VNets and branch locations
+## Extend back-end connectivity to spoke virtual networks and branch locations
 
-### Spoke VNet connectivity by using VNet peering
+### Spoke virtual network connectivity by using virtual network peering
 
-Hub and spoke VNet architecture is widely used. The hub is a VNet in Azure that acts as a central point of connectivity between your spoke VNets and to your on-premises network. The spokes are VNets that peer with the hub, and which you can use to isolate workloads. Traffic flows between the on-premises datacenter and the hub through an ExpressRoute or VPN connection. For more information about the architecture, see [Implement a hub-spoke network topology in Azure][Hub-n-Spoke].
+Hub and spoke virtual network architecture is widely used. The hub is a virtual network in Azure that acts as a central point of connectivity between your spoke virtual networks and to your on-premises network. The spokes are virtual networks that peer with the hub, and which you can use to isolate workloads. Traffic flows between the on-premises datacenter and the hub through an ExpressRoute or VPN connection. For more information about the architecture, see [Implement a hub-spoke network topology in Azure](/azure/architecture/reference-architectures/hybrid-networking/hub-spoke).
 
-In VNet peering within a region, spoke VNets can use hub VNet gateways (both VPN and ExpressRoute gateways) to communicate with remote networks.
+In virtual network peering within a region, spoke virtual networks can use hub virtual network gateways (both VPN and ExpressRoute gateways) to communicate with remote networks.
 
-### Branch VNet connectivity by using site-to-site VPN
+### Branch virtual network connectivity by using site-to-site VPN
 
-You might want branch VNets, which are in different regions, and on-premises networks to communicate with each other via a hub VNet. The native Azure solution for this configuration is site-to-site VPN connectivity by using a VPN. An alternative is to use a network virtual appliance (NVA) for routing in the hub.
+You might want branch virtual networks, which are in different regions, and on-premises networks to communicate with each other via a hub virtual network. The native Azure solution for this configuration is site-to-site VPN connectivity by using a VPN. An alternative is to use a network virtual appliance (NVA) for routing in the hub.
 
-For more information, see [What is VPN Gateway?][VPN] and [Deploy a highly available NVA][Deploy-NVA].
+For more information, see [What is VPN Gateway?](../vpn-gateway/vpn-gateway-about-vpngateways.md) and [Deploy a highly available NVA](/azure/architecture/reference-architectures/dmz/nva-ha).
 
 ## Next steps
 
-Learn about [control plane analysis][Control-Analysis] of the test setup and the views of different VNets or VLANs in the topology.
-
-Learn about [data plane analysis][Data-Analysis] of the test setup and Azure network monitoring feature views.
-
-See the [ExpressRoute FAQ][ExR-FAQ] to:
--   Learn how many ExpressRoute circuits you can connect to an ExpressRoute gateway.
--   Learn how many ExpressRoute gateways you can connect to an ExpressRoute circuit.
--   Learn about other scale limits of ExpressRoute.
-
-
-<!--Image References-->
-[1]: ./media/backend-interoperability/SpokeVNet_peering.png "Spoke VNet's VNet peering"
-[2]: ./media/backend-interoperability/HubVNet-peering.png "Hub VNet's VNet peering"
-[3]: ./media/backend-interoperability/BranchVNet-VPNGW.png "VPN Gateway configuration of a branch VNet"
-[4]: ./media/backend-interoperability/ExR1.png "ExpressRoute 1 configuration"
-[5]: ./media/backend-interoperability/ExR1-Hub-Connection.png "Connection configuration of ExpressRoute 1 to a hub VNet ExR gateway"
-[6]: ./media/backend-interoperability/ExR2.png "ExpressRoute 2 configuration"
-[7]: ./media/backend-interoperability/ExR2-Hub-Connection.png "Connection configuration of ExpressRoute 2 to a hub VNet ExR gateway"
-[8]: ./media/backend-interoperability/ExR2-Remote-Connection.png "Connection configuration of ExpressRoute 2 to a remote VNet ExR gateway"
-
-<!--Link References-->
-[Setup]: ./connectivty-interoperability-preface.md
-[ExpressRoute]: ../expressroute/expressroute-introduction.md
-[VPN]: ../vpn-gateway/vpn-gateway-about-vpngateways.md
-[VNet]: ../virtual-network/tutorial-connect-virtual-networks-portal.md
-[Control-Analysis]: ./connectivty-interoperability-control-plane.md
-[Data-Analysis]: ./connectivty-interoperability-data-plane.md
-[ExR-FAQ]: ../expressroute/expressroute-faqs.md
-[S2S-Over-ExR]: ../expressroute/site-to-site-vpn-over-microsoft-peering.md
-[ExR-S2S-CoEx]: ../expressroute/expressroute-howto-coexist-resource-manager.md
-[Hub-n-Spoke]: /azure/architecture/reference-architectures/hybrid-networking/hub-spoke
-[Deploy-NVA]: /azure/architecture/reference-architectures/dmz/nva-ha
-[VNet-Config]: ../virtual-network/virtual-network-manage-peering.md
+Learn about [control plane analysis](./connectivty-interoperability-control-plane.md) of the test setup and the views of different virtual networks or VLANs in the topology.
+
+Learn about [data plane analysis](./connectivty-interoperability-data-plane.md) of the test setup and Azure network monitoring feature views.
+
+See the [ExpressRoute FAQ](../expressroute/expressroute-faqs.md) to:
+
+- Learn how many ExpressRoute circuits you can connect to an ExpressRoute gateway.
+
+- Learn how many ExpressRoute gateways you can connect to an ExpressRoute circuit.
+
+- Learn about other scale limits of ExpressRoute.
