Azure Virtual Network gateway subnet with multiple address spaces and express route

Paul Cookman 41 Reputation points
2020-07-17T06:00:04.653+00:00

Hi, I have a question regarding a VNET with multiple address spaces and express route.

When creating a Azure Virtual Network gateway subnet with multiple address spaces, does it mater which address space i specify for the Gateway subnet?

My scenario,

I have a VNET with an existing address space and VMs and I am introducing express route which dictates my address space in my scenario. Rather that restore the VMs to a different VNET I would like to add an additional address space and then change the IPs of the vms to the expressroute address space.

There is an existing site to site VPN inplace using the original address space (gateway subnet) that I need to leave inplace.

My question,

Can I setup my new expressroute with the new address space but still use the existing gateway subnet belonging to the original address space? Will express route care about the gateway subnet being on a different address space to what it is routing to?

Any ideas?

regards,

Paul.

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,378 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,137 questions
Azure ExpressRoute
Azure ExpressRoute
An Azure service that provides private connections between Azure datacenters and infrastructure, either on premises or in a colocation environment.
322 questions
0 comments
Accepted answer
  1. GitaraniSharma-MSFT 47,086 Reputation points Microsoft Employee
    2020-07-22T10:43:21.357+00:00

    @PaulCookman-2160 ,

    Like I mentioned before, Azure ExpressRoute uses dynamic routing between your network and Microsoft via BGP protocol and BGP provides automatic and flexible route prefix updates. The ExpressRoute gateway will advertise the Address Space(s) of the Azure VNet, you can't include/exclude at the subnet level. It is always the VNet Address Space that is advertised.

    For example:
    Let's say : Your Vnet address range is 10.10.10.0/24 and GatewaySubnet is 10.10.10.0/27 (where you have an existing S2S VPN)
    But your on-prem range overlaps with this address space.
    So you add a new address space say 10.20.0.0/24
    And deploy ExpressRoute gateway in your existing GatewaySubnet "10.10.10.0/27".

    What happens to the routing:
    ExR gateway will advertise both 10.10.10.0/24 and 10.20.0.0/24 to the Microsoft Edge routers.

    So, even if you keep the old address space for just GatewaySubnet, it will still get advertised to your On-premises and the On-prem Address range will get advertised to us. Overlapping addresses is never recommended as you never know how they will cause an issue.

    In your case, the ExR gateway instances and the tunnel IPs will be from the overlapping address space. So the Microsoft Edge routers will have one route which is from On prem and another which is from gateway. So it will likely cause issues for the Microsoft edge router in deciding how to handle the traffic.

    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please don’t forget to "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.

    1 person found this answer helpful.

4 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. GitaraniSharma-MSFT 47,086 Reputation points Microsoft Employee
    2020-07-20T11:38:53.647+00:00

    Hello @Paul Cookman ,

    Azure ExpressRoute uses BGP, an industry standard dynamic routing protocol, to exchange routes between your on-premises network and your instances in Azure. Now, if you have multiple address spaces in your Vnet and you deploy an Azure ExpressRoute gateway in a GatewaySubnet (no matter which address space) and then link this Vnet to an ExpressRoute circuit, the route table of the ExpressRoute circuit will receive all routes including on-prem routes as well as Azure routes(all address spaces of connected Vnet and any other peered Vnet address ranges).

    Via BGP, both of your address spaces will be accessible from your on-premises. If you have an existing ExpressRoute circuit, you may add a new address space to an already linked Vnet and check the route table for clarification.

    Could you please clarify why you have mentioned "The original address space will not be routable from onpremise once the expressroute is created and this includes the GW subnet."?

    0 comments
  2. GitaraniSharma-MSFT 47,086 Reputation points Microsoft Employee
    2020-07-17T13:31:54.157+00:00

    Hello @PaulCookman-2160 ,

    It does not mater which address space you specify for the GatewaySubnet, while creating an Azure Virtual Network GatewaySubnet with multiple address spaces but do ensure non-overlapping address spaces. Make sure your VNet address space (CIDR block) does not overlap with your organization's other network ranges.
    Azure creates a route with an address prefix that corresponds to each address range defined within the address space of a virtual network. If the virtual network address space has multiple address ranges defined, Azure creates an individual route for each address range. Azure automatically routes traffic between subnets using the routes created for each address range.
    Please refer : https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview#system-routes

    Also, while creating a co-existing scenario (VPN + ExpressRoute) in a Vnet, the gateway subnet must be /27 or a shorter prefix, (such as /26, /25), or you will receive an error message when you add the ExpressRoute virtual network gateway. And only route-based VPN gateway is supported. In case you already have an existing Site-to-Site VPN connection and the gateway subnet mask is /28 or smaller (/28, /29, etc.), you have to delete the existing gateway and GatewaySubnet and recreate everything from scratch.

    Please refer : https://learn.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager?toc=/azure/vpn-gateway/toc.json

    NOTE : You may face challenges while creating an ExpressRoute gateway over an existing S2S VPN gateway via Azure portal. So I would recommend using PowerShell to avoid any failures.

    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please don’t forget to "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.

    0 comments
  3. Paul Cookman 41 Reputation points
    2020-07-17T15:02:58.763+00:00

    Thank you for your response,

    When you say,
    "It does not mater which address space you specify for the GatewaySubnet, while creating an Azure Virtual Network GatewaySubnet with multiple address spaces but do ensure non-overlapping address spaces. Make sure your VNet address space (CIDR block) does not overlap with your organization's other network ranges."

    The original address space will not be routable from onpremise once the expressroute is created and this includes the GW subnet. I will effectively end up with a new routable address space through expressroute with a GW subnet that belongs to the original un-routable address space. No overlapping, however original address space not accessible.

    I just wanted to make sure I was clear with my scenario, will this still work?

    Regards,

    Paul.

    0 comments
  4. Paul Cookman 41 Reputation points
    2020-07-20T13:40:13.843+00:00

    The original address space will overlap in the future so we cannot route to this, however that address space's GW subnet is the GW subnet for the VNet. This is why I need to know if the GW subnet can be used from another subnet or if it is involved in the routing anywhere between onprem to VNet address space.

    Address Space A (with GW Subnet)
    Address Space B

    Express Route onprem to Address Space B ONLY.

    Can the GW subnet from Address Space A be used in this configuration.

    Backgroud.

    Address Space A is used in a separate site to site with gw subnet inuse and we don't want to create another VNET and ideally.... We don't want to blow away gw subnet and recreate another gw subnet in the other address space.

    We do know this is not ideal, we just need to know if it is technically possible as an option.

    Regards,

    Paul.

    0 comments