Hello @Gongya Yu ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you need clarification about the routing tables on ExpressRoute circuit and virtual network gateway.
The express route table contains the prefixes on-prem and Azure vnets. The route table summary shows the bgp neighbors which live in GatewaySubnet. This clearly explains the routes from on-prem to Azure cloud.
Yes, this is correct. You can get a detailed route table of an ExpressRoute circuit. The route table will show all routes and summary of BGP neighbor information or can be filtered to show routes for a specific peering type. You can use the route table to validate your peering configuration and connectivity.
You can also view the route table and route table summary of ExpressRoute circuit in the Azure portal by right-clicking on a peering type as below:
But the route table associated with GatewaySubnet does not show routes to on-prem. It hides them? Anyway to see them, even via CLI? As ER RT shows the bgp neighbors with GatewaySubnet, I guess those on-prem routers are advertised to the GatewaySubnet RT, right? Or there is something internal?
An on-premises network gateway can exchange routes with an Azure virtual network gateway using the border gateway protocol (BGP). When you exchange routes with Azure using BGP, a separate route is added to the route table of all subnets in a virtual network for each advertised prefix. The route is added with Virtual network gateway listed as the source and next hop type.
Azure automatically creates a route table for each subnet within an Azure virtual network and adds system default routes to the table. You can't create system routes, nor can you remove system routes, but you can override some system routes with custom routes. Azure creates default system routes for each subnet, and adds more optional default routes to specific subnets, or every subnet, when you use specific Azure capabilities.
The route table (if any) that shows in a subnet, including a GatewaySubnet is a generally a custom or user created route table, that is associated by the user to override system routes. So, you cannot see the system routes in those route tables.
The combination of routes you create, Azure's default routes, and any routes propagated from your on-premises network through an Azure VPN gateway (if your virtual network is connected to your on-premises network) via the border gateway protocol (BGP), are the effective routes for all network interfaces in a subnet.
And the only way to see them is by viewing the routes that are effective for a network interface in a virtual machine (VM) within a particular Vnet.
Refer: https://learn.microsoft.com/en-us/azure/virtual-network/diagnose-network-routing-problem
https://learn.microsoft.com/en-us/azure/virtual-network/manage-route-table#view-effective-routes
So, to check the routes learned by the GatewaySubnet, you should check for a VM from the same Vnet as the ExpressRoute gateway in the Azure portal and view the Effective routes.
NOTE: ER and VPN Gateway route propagation can be disabled on a subnet using a property on a route table. When you disable route propagation, the system doesn't add routes to the route table of all subnets with Virtual network gateway route propagation disabled. This process applies to both static routes and BGP routes. So, if the VM's subnet has "Virtual network gateway route propagation disabled", you cannot see all the routes.
You could also try using the following Azure PowerShell commands to get the routes advertised and learned by an Azure virtual network gateway:
Get-AzVirtualNetworkGatewayAdvertisedRoute
- Lists routes being advertised by an Azure virtual network gateway
Get-AzVirtualNetworkGatewayLearnedRoute
- Lists routes learned by an Azure virtual network gateway
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.