Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you would like to know more about the configuration for inspecting traffic between Azure and OnPrem via ExR or VPN Gateway.
Wrt the statement, "I have an ExpressRoute via a VPN gateway in Azure, which is connected to OnPrem."
- I take it that this is VNET Gateway and not VPN Gateway.
I see you are already clear about the OnPrem to Azure part.
- As you mentioned, attaching a Route Table with UDR pointing Azure address range to the NVA IP would do the trick.
Azure to OnPrem Part:
- With the ExpressRoute, all the VMs would be automatically learning the nextHop for OnPrem address range.
- When you add a Route table to the subnets, you are actually over-riding this System/BGP Routes via UDR (custom Route) and make it point to the NVA
- However, you will not be adding any such Route table to the NVA's subnet
- This means, the NVA is aware of the nextHop as ExpressRoute via System routes.
- i.e., System route was not overridden by any UDRs
- So, once the NVA inspects/processes the traffic and allows it, the platform would take care of the routing to the OnPrem.
- E.g.,
- In case the target address is 10.1.0.10, the NVA should send the traffic to 10.1.0.10 only
- Azure will take care of routing at the platform level
- In case the target address is 10.1.0.10, the NVA should send the traffic to 10.1.0.10 only
Kindly let us know if this helps or you need further assistance on this issue.
Thanks,
Kapil
Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.