During on-premises VPN, is it necessary to write a route from hub to spoke?

tayfun tek 66 Reputation points
2023-01-26T11:23:38.7466667+00:00

Greetings everyone,

we have multiple spoke vnets located behind a hub in Azure. (each of them peered with hub vnet). The hub has VPN gateway and firewall.

After establish VPN connection from on-premise to Azure hub, inherently we are writing routes for access from on-premise network to spoke vnets. In that case, do we need to write routes in Hub vnet to spoke vnet? Or only write route in on premise network by pointing Azure hub firewall is enough?

Thanks in advance

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,379 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
564 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,139 questions
Accepted answer
  1. KapilAnanth-MSFT 35,001 Reputation points Microsoft Employee
    2023-01-26T16:27:31.5833333+00:00

    @tayfun tek

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I understand that you would like to know if it is required to manually add routes in the Hub Vnet to forward traffic from OnPremises to the Spoke Vnets.

    It is not required. This is automatically handled by the platform.

    However, you will be required to enable gateway transit in virtual network peering between the Hub and the Spoke Vnets.

    This is documented here : Configure VPN gateway transit for virtual network peering

    Also refer "Virtual network gateway or Route Serve" under Manage Vnet Peering

    Kindly let us know if the above helps or you need further assistance on this issue.

    Thanks,

    Kapil

    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andrew Schull 86 Reputation points Microsoft Employee
    2023-01-26T16:41:43.8166667+00:00

    Hello Tayfun,

    Thank you for reaching out.

    From your question it looks like you are inquiring if you will need to use custom user defined routes to route traffic from your hub VNET to spoke VNET.

    In Azure the routes you advertise to your VPN/ExpressRoute Gateway are propagated to both the hub and spoke VNET's. This allows communication from on premises to the hub and spoke VNET's to work with default/system routes.

    If you are needing the spoke VNET's to connect to another spoke, then you will need to force the traffic to a Firewall/NVA in your hub VNET. The spokes routes are not propagated by default to your other spokes.

    I am including a few documents below that cover this scenario in great detail. They are a bit dense so feel free to reply if you have any other questions.

    Virtual network traffic routing

    Hub-spoke network topology in Azure

    Default route injection in spoke VNets

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well. Hope this helps!

    0 comments