So i just realised today that there’s max limit of 30 S2S connection for the VpnGw1 SKU (https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways)
Just wondering if anyone faced the same and what did you decide on?
I’m thinking 2 options
A: Upgrade the virtual network GW SKU to a Gen2-VpnGw4 that allows 100 S2S connections
or
B: Create another Vnet and Vnet GW (Gen1-VpnGw1) + peer both Vnet
A.
You cannot peer a vnet to more than one gateway.
Virtual appliance on the table?
I can confirm what others have said - only one jump is permitted which leads to the conclusion already made here that Microsoft designed this for hub-spoke environment; I totally agree that this isn’t “normal” networking; one should be able to build a shadow private world in Azure, completely routable and accessible like any other normal network - but sadly that isn’t the case
My bad, I wasn’t clear with my intentions
I meant create an entirely new Vnet and a Vnet GW. Then have the 31st onwards connected to this new Vnet via the new GW.
After which, peer both old and new Vnet so resources are reachable between them
Yes quite a few Azure VM residing in current Vnet
Still don’t think you can do that. You can only do transit gateway peering once per vnet. So 1 vnet would be able to reach vpns 1-30 and another 31+ but one would not be able to reach both.
Just upgrade the sku.
No, use a virtual firewall appliance instead of s2s connections
after reading up - i get what you are saying now
so basically, gateway transit is intended for and will only work in a hub-spoke setup where there’s only 1 vnet gateway.
We will explore the NVA option (PFsense)
unfortunately for where i am right now, upgrading the SKU from GW1 to GW4 is an 1100% increase in subscription fees. money we dont have 
thanks for the replies!
hopefully this not a rabbit hole XD, thanks in advance!
If you do a NVA make sure you understand the performance limitations and scalability.
it can be 
But it’s a virtual firewall in Azure which you can use to terminate vpn tunnels on and then setup a routing table in azure to put traffic back out again. Azure offers the firewall service itself as well, but that’s very expensive.
A virtual appliance is basically a VM doing that, but it will require some more config as well.