Share via

Azure Vwan routes level (vnet, subnet)

Côme C 36 Reputation points
2023-10-23T15:47:16.5033333+00:00

Hello,

We wants to isolate subnets within spoke vnets. The aim is to force traffic to an NVA (not managed by vWan)

We thought it would be possible by overriding default route to vnet in vWAN route table.

For instance, if my spoke is 10.21.4.0/24, I add a static route in my vWAN route table saying 10.21.4.0/24 => NVA.

But when checking effective route on a VM, we still find 10.21.4.0/24 => Virtual network. The instantiated route does not appear

 

We tried many scenarios :

  1. Overriding the route in vWAN route table, as described above => Not working
  2. Overriding the route in vWAN vnet connection => Not working
  3. Adding a route table (UDR) on the subnet => Seems to be working

 

Is there a way to force a subnet to go through the NVA before it reaches any other subnet (even one of the same vnet) in vWAN ?

We can’t find any reference design about it.

We would like to avoid if possible the use of UDR because it add complexity in the design and break the “one point of routing management” concept of vWAN.

 

Thanks

Azure Virtual WAN
Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
226 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,509 questions
0 comments
Accepted answer
  1. ChaitanyaNaykodi-MSFT 26,216 Reputation points Microsoft Employee
    2023-10-24T03:32:53.2233333+00:00

    @Côme C

    Thank you for reaching out.

    Based on your questions above.

    Overriding the route in vWAN route table, as described above => Not working Overriding the route in vWAN vnet connection => Not working

    This observation is a known limitation of Azure WAN routing and is documented here - "Virtual WAN wouldn't be able to inject a route that matches the virtual network prefix (10.1.0.0/16) or any of the subnets (10.1.0.0/24, 10.1.1.0/24). In other words, Virtual WAN can't attract traffic between two subnets that are in the same virtual network."

    Is there a way to force a subnet to go through the NVA before it reaches any other subnet (even one of the same vnet) in vWAN ? We would like to avoid if possible the use of UDR because it add complexity in the design and break the “one point of routing management” concept of vWAN.

    As documented here. Azure automatically creates system routes and assigns the routes to each subnet in a virtual network. You can't create system routes, nor can you remove system routes, but you can override some system routes with custom routes. Azure creates default system routes for each subnet, and adds more optional default routes to specific subnets, or every subnet, when you use specific Azure capabilities.

    For your scenario here I think you will have to use UDR in order to route the traffic to the NVA.

    As you mentioned above

    The aim is to force traffic to an NVA (not managed by vWan)

    Just a suggestion, I wonder if this architecture can help you in this case. Where you can route traffic through a network virtual appliance (NVA) for communication between virtual networks and branches by using VNET peering.

    User's image

    Hope this helps! Please let me know if you have any additional questions. Thank you!

    ​​Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Côme C 36 Reputation points
    2023-10-24T10:05:19.6466667+00:00

    Thank you for your reply.

    I omitted this element in the documentation.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.