Hello All, please check below diagram: Subnet A: on-premises , will be advertised via SDWAN to the vHub subnet Z: used in the service Vnet (where 2 Firewalls: FG or PA) are hosted: to filter traffic between cloud and sdwan (on-prem) Subnet X1,Y1: host subnets, where i am using my VMs in Vnet1 Subnet X2,Y2: host subnets, where i am using my VMs in Vnet1 Target: Subnet A and Subnet (X1,X2,Y1,Y2) communicate , while Firewall can be used to block or allow communication based on application, subnet, port, etc. The problem: 1-once vHub connected to service Vnet: subnet Z will be in the vHub routing table and reachable..OK 2-also subnet A (which is in vHub BGP , received from SDWAN) will also adv to service Vnet...OK i.e. Subnet A and Z can reach each other , which is not target but OK 3-once the peering between service vnet and Host vnets (Vnet1 and Vnet2) , subnet X1,Y1 can reach subnet Z, same for X2,Y2 can reach subnet Z..OK all above is happening automatically without any need for manual user defined routes 4-the problem is : 4.1 How subnet X1,X2,Y1,Y2 can be advertised to the vHub ?, is there any way can make those subnets (from Host Vnets1,and 2) advertised to the vHub automatically? i am thinking of manual options, but still not very clear for me! and i want automatic option, where if any new subnet (X3) added in Vnet1 , subnet X3 advertised automatically to the vHub 4.2 How subnet A can be advertised to Vnet1 and Vnet2 automatically?

@ZEIN Ahmed OBS/S EUR , Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well. Looking at your design, it appears something similar to Route traffic through an NVA . Where, Your Set Up Azure reference architecture ServiceVnetX VNet2 VNet1,VNet2 VNet5,VNet6 Point to Note: I see you have mentioned "automatic" advertisement a couple of times. The entire concept of vWAN is to automate route propagation However, you are using a multi Hub design i.e, two Hubs - one vHubX and two vNETX. This means you are still using traditional Hub Spoke where the Hub is "vNETX" and Spokes are "VNET1" and "VNET2" And since vWAN does not have any control over the routing in the VNETs it is not directly connected to, you have to rely on manually updating the routes only With that said, To advertise the Spoke ranges to the vHub, (I am using your setup's naming convention) You should add UDRs to VNET1 and VNET2 (Subnets X1,Y1,X2,Y2) with nextHop as the vFG i.e., Destination Range : SubnetA NextHop IP : vFG's IP Add an static route entry for VNET1,VNET2,VNETX to vHubX’s Default route table. Configure a static route for VNET1,VNET2 in VNet X’s virtual network connection. To set up routing configuration for a virtual network connection, see virtual hub routing . i.e., Post this, X1,X2,Y1,Y2 subnets will be advertised to the vHubX SubnetA 's range will be advertised to the X1,X2,Y1,Y2 by UDR Kindly let us know if this helps or you need further assistance on this issue. Thanks, Kapil Please don’t forget to close the thread by clicking " Accept the answer " wherever the information provided helps you, as this can be beneficial to other community members.

Routing to/from virtual WAN

Accepted answer

KapilAnanth-MSFT 46,676 Reputation points Microsoft Employee

2024-06-20T10:05:33.82+00:00
@ZEIN Ahmed OBS/S EUR ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

Looking at your design, it appears something similar to Route traffic through an NVA.

Where,

Your Set Up Azure reference architecture

ServiceVnetX VNet2

VNet1,VNet2 VNet5,VNet6

Point to Note:

I see you have mentioned "automatic" advertisement a couple of times.

The entire concept of vWAN is to automate route propagation

However, you are using a multi Hub design

i.e, two Hubs - one vHubX and two vNETX.

This means you are still using traditional Hub Spoke where the Hub is "vNETX" and Spokes are "VNET1" and "VNET2"

And since vWAN does not have any control over the routing in the VNETs it is not directly connected to, you have to rely on manually updating the routes only

With that said,

To advertise the Spoke ranges to the vHub, (I am using your setup's naming convention)

You should add UDRs to VNET1 and VNET2 (Subnets X1,Y1,X2,Y2) with nextHop as the vFG

i.e.,

Destination Range : SubnetA

NextHop IP : vFG's IP

Add an static route entry for VNET1,VNET2,VNETX to vHubX’s Default route table.

Configure a static route for VNET1,VNET2 in VNet X’s virtual network connection. To set up routing configuration for a virtual network connection, see virtual hub routing.

i.e.,

Post this,

X1,X2,Y1,Y2 subnets will be advertised to the vHubX

SubnetA 's range will be advertised to the X1,X2,Y1,Y2 by UDR

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Please sign in to rate this answer.

1 person found this answer helpful.
ZEIN Ahmed OBS/S EUR 125 Reputation points

2024-06-20T10:35:48.8366667+00:00

thanks @KapilAnanth-MSFT
this is my understanding, thats why i raised the question.
becasue i am thinking about some ideas can add automation for this route advertisments

1-can we build BGP between vHub and vFGs (in Service VnetX)?
i think no way!

2-if no way for idea 1, what about adding route server in the service Vnet and build BGP between vFG and route server
in vFG we can adv subnet A via BGP to route server --> send it automatically to Vnet1 and 2

3-using GW and Transient option can help

i know that all ideas not organized and not building a complete picture, but i am trying to think out loud with you

the main issue is vFG cannot be hosted in the vHub with the SDWAN NVA, because BGP will flap (a well known bug in Azure vWAN), so i am forced to move the vFG to a service Vnet

You are right that vWAN is automated , but it cannot host SDWAN and Firewall at same time, so it is the vWAN issue at the end

ZEIN Ahmed OBS/S EUR 125 Reputation points

2024-06-20T11:00:06.8033333+00:00

@KapilAnanth-MSFT
example for idea, i can see that BGP peer can be added on vHub where the Peer on another Vnet connected to the vHub using Vnet connection
see below

KapilAnanth-MSFT 46,676 Reputation points Microsoft Employee

2024-06-20T11:53:12.2166667+00:00

@ZEIN Ahmed OBS/S EUR ,

You are welcome.

1-can we build BGP between vHub and vFGs (in Service VnetX)?

Yes

The same architecture with BGP Supported NVA is documented here : vWAN BGP peering scenarios

However, Spokes (VNET1 and VNET2) still need to be added UDRs

2-if no way for idea 1,

No, you cannot deploy a Route Server in a spoke VNet

See : Can I create an Azure Route Server in a spoke VNet that's connected to a Virtual WAN hub?

3-using GW and Transient option can help

No

The reason is same as #2

See : Can a spoke VNet have a virtual network gateway?

Wrt "vFG cannot be hosted in the vHub with the SDWAN NVA, because BGP will flap (a well known bug in Azure vWAN)",

From document About NVAs in a Virtual WAN hub, I see

I am not aware of such an issue

Can you please tell me how you became aware of this?

Thanks,

Kapil

Please Accept an answer if correct.

Original posters help the community find answers faster by identifying the correct answer.

ZEIN Ahmed OBS/S EUR 125 Reputation points

2024-06-20T12:10:53.3466667+00:00

thanks @KapilAnanth-MSFT , here you go with my comments
1-lets elaborate the idea number 1: BGP up and running between vHub and vFG
1.1subnet A --> via BGP --> vFG , vent 1&2 both need UDR for subnet A via vFG ip (correct)
1.2Subnet X1,Y1,X2,Y2: must be added manually in the VnetX using UDR point to the Vnet peering?

1.3 subnet X1,Y1,X2,Y2 can be redistributed in the vFG BGP route table so it can be advertised to vHub via BGP? or it must be also added as static route
i.e. for subnet X1,Y1,X2,Y2 2 manual actions required or only one?

idea 2 and 3 killed already.

answering your point about 2 different NVA hosted in the same vHub and using BGP is not working it is a limitation (not bug)
the traffic from host vnets (vnet1 and 2) need to go via firewall then sdwan nva
if FW hosted in the same vHub. it will be useless as all routes (subnet A and Subnet X&Y) advertised between SDWAN NVA and host Vnets
in order to make FW in the traffic path, the only option is to use intent routing, which is not working if FW and SDWAN both in same vHub.

the other option is to use Service Vnet (where we are discussing now)

note: using another vHub for the FW is NO GO due to network design and routing complexity.- forget that option "unfortunately"

check below:
https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-routing-policies#knownlimitations

The following connectivity use cases are not supported with Routing Intent:

Static routes in the defaultRouteTable that point to a Virtual Network connection can't be used in conjunction with routing intent. However, you can use the BGP peering feature.

The ability to deploy both an SD-WAN connectivity NVA and a separate Firewall NVA or SaaS solution in the same Virtual WAN hub is currently in the road-map. Once routing intent is configured with next hop SaaS solution or Firewall NVA, connectivity between the SD-WAN NVA and Azure is impacted. Instead, deploy the SD-WAN NVA and Firewall NVA or SaaS solution in different Virtual Hubs. Alternatively, you can also deploy the SD-WAN NVA in a spoke Virtual Network connected to the hub and leverage the virtual hub BGP peering capability.

ZEIN Ahmed OBS/S EUR 125 Reputation points

2024-06-20T12:22:14.9266667+00:00

Thanks @KapilAnanth-MSFT
1-for idea 1, so if BGP up between vHub and vFG, subnet A will be adv from vHub to vFG and SubnetX1,Y1 adv from vFG to vHub
but we still need to adv between vFG (in service vnet) and host vnets
1.1 in host vnet1 , UDR for subnet A --> next hop =vFG
1.2 in service vnetx, UDR for subnet X1,Y1 --> Vnet peering
both are must , as long as route server or TGW not an option (correct?)

then for the vFG to have subnets X1,Y1 in BGP table, is there anyway to make it auto, or i have to add static route in the vFG (redist into BGP)? what do you think here?

2 and 3 : both killed before born

answering your point for hosting the FW in the vHUB, actually it is a limitation in Azure

the traffic between subnet A and Subnet X1 is using the SDWAN NVA as adv of subnet A coming from the SDWAN.
you can build FW in the vHub for sure, but it will not work as traffic will never pass via the FW.
in order to make the traffic pass via the FW: you need intent routing
in such case, it will not work check below Azure link.
the only option is to put the FW in a service Vnet where it is connecting the other host vnets <same design diagram we talk about>

note: unfortunately using another vHub for the FW is very complex in large scale routing, that will be impossible option.

https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-routing-policies#knownlimitations
The following connectivity use cases are not supported with Routing Intent:

Static routes in the defaultRouteTable that point to a Virtual Network connection can't be used in conjunction with routing intent. However, you can use the BGP peering feature.

The ability to deploy both an SD-WAN connectivity NVA and a separate Firewall NVA or SaaS solution in the same Virtual WAN hub is currently in the road-map. Once routing intent is configured with next hop SaaS solution or Firewall NVA, connectivity between the SD-WAN NVA and Azure is impacted. Instead, deploy the SD-WAN NVA and Firewall NVA or SaaS solution in different Virtual Hubs. Alternatively, you can also deploy the SD-WAN NVA in a spoke Virtual Network connected to the hub and leverage the virtual hub BGP peering capability.

KapilAnanth-MSFT 46,676 Reputation points Microsoft Employee

2024-06-20T13:45:33.34+00:00

@ZEIN Ahmed OBS/S EUR ,

There is a difference between a product/design limitation and a "bug".

I was under the impression that

You were going to use a single NVA (vFG) for both SDWAN and Firewall capabilities.

And you got an update from Azure Support that this is not supported.

However, as documented,

You cannot deploy two NVA instances - this is by design only (as of now)

Coming to our set up,

so if BGP up between vHub and vFG, subnet A will be adv from vHub to vFG and SubnetX1,Y1 adv from vFG to vHub

Correct

Note : You have to configure your vFG to advertise SubnetX1,Y1,X2,Y2 to vHUB.

but we still need to adv between vFG (in service vnet) and host vnets
1.1 in host vnet1 , UDR for subnet A --> next hop =vFG

Correct

VNET1,VNET2 are not aware of the SubnetA and so you need UDR

1.2 in service vnetx, UDR for subnet X1,Y1 --> Vnet peering

Not exactly

This should not be achieved by UDRs - in fact you don't need it

Technically speaking, since VNET1,VNET2 and VNETX are peered, VNETX already know the route to VNET1,VNET2 without ever needing a UDR.

VNETX is aware of the VNET1,VNET2 and so, you don't need a UDR here

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

ZEIN Ahmed OBS/S EUR 125 Reputation points

2024-06-20T15:08:13.81+00:00

Thanks @KapilAnanth-MSFT
for the vFG route to subnetX1 and Y1
assume that BGP is using redistribute connected and redistribute static already- i.e. any static or connected subnet in the vFG routing table will be advertised to BGP peer (vHub).
A- the vFG needs a static route for subnets X1,Y1, isnt it ? what should be the next-hop?
B-Or as long as X1 and Y1 part of VnetX routing table it can be considered as connected to the vFG?

is there any way to make the vFG learn subnet X1,Y1 without manual action?

KapilAnanth-MSFT 46,676 Reputation points Microsoft Employee

2024-06-20T15:18:56.2933333+00:00

You are welcome @ZEIN Ahmed OBS/S EUR ,

Answer B, as long as X1 and Y1 (X2,Y2 too) part of VNETX's routing table it can be considered as connected to the vFG.

Wrt, "is there any way to make the vFG learn subnet X1,Y1 without manual action?"

Non needed

vFG already learns subnet X1,Y1 via VNET Peering.

Thanks,

Kapil

Please Accept an answer if correct.

Original posters help the community find answers faster by identifying the correct answer.

ZEIN Ahmed OBS/S EUR 125 Reputation points

2024-06-20T15:21:47.2433333+00:00

you are the one @KapilAnanth-MSFT

KapilAnanth-MSFT 46,676 Reputation points Microsoft Employee

2024-06-20T17:15:07.7066667+00:00

@ZEIN Ahmed OBS/S EUR ,

Glad we could be of service.

I would highly appreciate if you could Accept the answer and close this thread

Original posters help the community find answers faster by identifying the correct answer.

Thanks for your continued contribution on Q&A and appreciate much for taking the time to share your feedback.

Thanks,

Kapil
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Routing to/from virtual WAN

0 additional answers

Your answer