We have existing site-to-site IPsec tunnel from our on-prem gateway (Juniper SSG320) to Azure cloud gateway, it is a policy-based VPN.
We would like to create a new VPN tunnel, this time a route-based VPN, while keeping the existing tunnel. So the new tunnel is for development environment, it will be from the same existing on-prem gateway (Juniper SSG 320) to the new gateway and virtual network in Azure. Anyone knows if this is doable or if this Juniper supports multiple VPNs, for this one it will be a two VPNs (one is policy-based, other is route-based)? Will I need a new external IP address? The two tunnels wouldn't need to talk with each other.
Our existing VPN tunnel is between our on-prem Juniper VPN and Microsoft Azure gateway, but the physical connection is below:
Juniper (VPN gateway) interface connected to edge router and edge router to the internet (Azure cloud VPN gateway). In Azure side we will need to create a new virtual network and a new gateway (with new IP address) so do I need a new Juniper's interface with new IP address for the new tunnel? Sorry, I'm new to this.
Sorry just to clarify this - "2: It's not mandatory to have new interface with public IP on the SSG. You can use any IP/Interface which has reachablity to the Azure cloud."
Does this mean I can use the same SSG tunnel interface and ip-address for both the existing VPN tunnel (policy-based) and new VPN tunnel (route-based) ? Sorry, in my mind it won't work but I'm probably wrong.
I thought it might not work as one VPN (existing) is policy-based (static) and the other VPN (new) is a route-based (dynamic). For some reason I am thinking there will be a conflict there or both VPNs have to be dynamic or route based.
You can have one route based and the other policy based. Which VPN to use is determined by a route lookup. When traffic is initiated for the route based VPN, the route will point the traffic to a tunnel interface. When traffic is initiated for the policy based VPN, the route will direct the traffic out a regular (usually untrust) interface, then the zone to zone policy will put the traffic into the corresponding tunnel.