In VWAN, how do I completely prevent an internal VNet's route from being advertised in the Default Route table?

Steve Down 96 Reputation points
2022-11-11T13:07:04.61+00:00

I have a pretty straightforward VWAN configuration:

  • VWAN, virtual hub
  • ExpressRoute, S2S, User VPN gateways
  • About 2 dozen virtual networks, spoked to the virtual hub
  • Spokes are associated into 6 or 7 internal VWAN route tables based on application environment
  • All route tables have a default route of 0.0.0.0/0 next hop the firewall in my hub
  • Each route table has individual entries to allow direct connection to private endpoint networks, etc.
  • I am not using propagation at all - well, let me rephrase - All of my spokes propagate to None

Here's what I want - to be able to expose routes to SELECTED spokes in the Default route table.

So, what I've done is, in my Default route table, is to add routes to my spokes, with a next hop through the firewall.

When I look at effective routes for Default, what I see is the following:

259572-image.png

This list is trimmed to omit customer-specific routes that correctly pass through the ExpressRouteGateway.

All of the 10.0.0.0/16 networks are my internal spokes. The ones that have explicit entries in Default appear correctly as passing through the firewall.

However, look at all of the 10.16. networks whose next hop is the ExpressRouteGateway. I never created route entries for those, they are associated with internal route tables and are specifically set to not propagate.

Are these route entries real? If so, how did they get there, and can I stop this? What I'd really like to avoid is advertising unintended routes over BGP.

Azure Virtual WAN
Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
187 questions
Azure ExpressRoute
Azure ExpressRoute
An Azure service that provides private connections between Azure datacenters and infrastructure, either on premises or in a colocation environment.
322 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Steve Down 96 Reputation points
    2022-11-14T12:08:41.83+00:00

    Gita,

    For your first question - propagations - "Propagate routes from connections to this route table" is set to false, and "Propagate routes from all branch connections to these labels across virtual WAN" is set to "Default".

    The first one seems obvious - don't propagate from spoke connections to the route table. The second one I read as what the branches alone propagate to - is Default wrong for that?

    For the second question, on the Associations tab, "Associate this route table across all connections" is disabled and set to no. The Virtual Networks selection list is set to only the internal VNet connections that participate in this route table. In the summary list below that, each VNet appears associated to the correct route table, but propagating to noneRouteTable.

    For the last question, I read your intent to mean "add static routes for the VNets that I want my branches to be able to reach" to the Default route table, and I have, with a route through my firewall. Aside from setting those routes, I didn't see anything in that article which mentioned preventing Default from propagating. In any case, it shows that branches are associated with Default and propagating to Default.

    The key distinction here is that I'm not listing the address space for ALL of the VNets, I'm listing the address space for only the VNets I want to be contactable. Those appear correctly in the effective routes for the Default route table. It's the networks that I DIDN'T add which are showing up as having a next hop of my ExpressRouteGateway (which would be wrong even if I wanted to advertise a route, which I don't).

    If you'd like more detail, I'm absolutely happy to provide it - but would prefer to do so privately, so that I don't need to sanitize a lot of details.

    Thanks so much for responding!

    0 comments