Use Azure as transit between site connected to Express route and SASE cloud

slacky 0

Is it possible to use Azure as a transit between two sites connected to Azure via express route and an SDWAN cloud connecting via DTLS tunnel from a NVA firewall to cloud.

The hub vnet has route table with default route pointing at the firewall NVA LAN side with IP forwarding configured.

What is the best way to have sites A and B (connected to Azure with express route) communicate to site C and D using Azure as transit.

Can this be done with simple UDR routes or do I need a route server?

Appreciate your support

Thanks

Slacky

Blank diagram - Page 4

1 answer

KapilAnanth-MSFT 35,001 Reputation points Microsoft Employee

2023-02-03T05:18:10.2333333+00:00

@slacky

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to know if you could use Azure as a Transit between your OnPrem Sites.

I believe you should go ahead with Route Server for the above configuration to work.

Wrt SiteA and SiteB,

Consider, ExpressRoute Global Reach

San Francisco as SiteA, London as SiteB and 10.0.3.0/24 as Azure.

In case you want Site A and Site B to directly talk with each other, you can go ahead with ExpressRoute Global Reach

However, should you require connectivity across all the sites A,B,C,D to use Azure as Hub, I suggest you go ahead with Route Server or Virtual WAN (with Branch to Branch enabled).

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Please sign in to rate this answer.
slacky 0 Reputation points

2023-02-03T08:23:11.4366667+00:00

Thanks for taking the time providing such a comprehensive response.

KapilAnanth-MSFT 35,001 Reputation points Microsoft Employee

2023-02-03T08:27:08.67+00:00

@slacky

You are most welcome 😄

Glad we could be of service.

Cheers,

Kapil

slacky 0 Reputation points

2023-02-04T01:50:28.03+00:00

Span this up in the lab as a test (with IPSec connecting site A and B to VNG) but I am unable to get a ping to transit Azure.

BGP was configured between both the NVA to route server, and iBGP enabled (from branch-to-branch setting) between LNG to VNG. Routing looks good from both ends, but unable to get traffic to traverse Azure.

A ping from site A to Site C looks to enter VNG IPSec tunnel but I never see it reach the NVA on packet capture of LAN. The only routing anomaly I can see is that from the VNG route table shows a next-hop of the NVA, with the advertised peer shown as the route server. I was expecting the next-hop to be the route server.

Not sure if the VNG having next-hop for site C directly via NVA is the issue here. In traditional networks I would expect iBGP next-hop-self to be an option to ensure the traffic returns via the route server.

KapilAnanth-MSFT 35,001 Reputation points Microsoft Employee

2023-02-06T04:01:31.1066667+00:00

@slacky

I take it that you are using S2S to connect A and B to Azure as opposed to your initial verbatim of using ExpressRoute since it is a Test Environment.

I believe you are referring to the "BGP Peers" section of the VPN gateway to check the routes.

"The only routing anomaly I can see is that from the VNG route table shows a next-hop of the NVA, with the advertised peer shown as the route server"

This observation is not correct.

Azure Route Server only exchanges BGP routes with your NVA. The data traffic goes directly from the NVA to the destination VM and directly from the VM to the NVA.

Here are some follow-up questions I would like to know,

Is the Route Server, the VPN Gateway and the NVA in the same Vnet?

Are you advertising 0.0.0.0/0 via the NVA to the network?
If so, is it possible if you can only advertise the C's address range into the network?

Please make sure there is no NSG blocking in the NVA (as you were expecting the traffic to come via Route Server)

Let me know how it goes.

Cheers,

Kapil

KapilAnanth-MSFT 35,001 Reputation points Microsoft Employee

2023-02-08T07:07:26.2766667+00:00

@slacky ,

Can you please update us if the action plan provided was helpful?

Should there be any follow-up questions or concerns, please let us know and we shall try to address them.

Thanks,

Kapil
Sign in to comment