Azure Virtual Wan with S2S VPN tunnel and Express Route

Steven J. Williams 25

I currently have a virtual wan with a single hub that has connectivity of Express route and S2S vpn. The site to site vpn terminates to my on prem Palo Alto and my express route circuits come into my Datacenter switches and peers BGP with my core switches and those switches peer iBGP with my Palo Alto. The issue I am seeing is my Palo Alto is preferring S2S VPN tunnel routes over my express route. How can you use S2S vpn tunnel as back and not actively advertise routes over it until Express fails or how can make advertised routes over VPN tunnel look less preferred?

GitaraniSharma-MSFT 47,676 Reputation points Microsoft Employee

2023-02-08T12:08:00.02+00:00

@Steven J. Williams , Just checking in to see if you had a chance to see the previous response “by @Luke Murray ”. To help the community find the right answers, please do mark the post which was helpful by clicking on Accept Answer.

By default, Azure Virtual WAN prefers ExpressRoute over VPN for traffic egressing Azure.

Refer: https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-faq#does-virtual-wan-prefer-expressroute-over-vpn-for-traffic-egressing-azure

But to ensure that the traffic destined to Azure from on-premises also prefers ExpressRoute path over the Site-to-site VPN, you need to configure the local preference of the routes that are received through the ExpressRoute private peerings greater than those of VPN routes. This way, you can make the traffic that is destined for Azure prefer the ExpressRoute circuit.

Refer: https://learn.microsoft.com/en-us/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering?WT.mc_id=AZ-MVP-5004796#configuring-for-symmetric-traffic-flow

If you have any further questions, do let us know.
Steven J. Williams 25 Reputation points

2023-02-08T15:21:13.5466667+00:00

So the strange thing is my palo alto BGP local RIB sees VPN route for my network as local pref 80 and ones coming from my core switches attached to express route as 120...so in theory traffic should go back toward ER. Palo Alto support is telling me that the VPN routes will always be chosen over the Express route routes due to the VPN being eBGP vs the iBGP peering to my cores that hold the ER. I am not sure I believe that because in the Cisco world, when a router receives two routes from BGP, rather its eBGP or iBGP or Both, AD never comes in play and always BGP best path selection which is weight, local pref, etc, etc.

So thats why I was seeing if anyway to influence routes advertised from Virtual WAN Hub.

Accepted answer

Luke Murray 10,526 Reputation points MVP

2023-02-08T03:10:31.4333333+00:00

Try making the routes for the express route a bit more specific then the S2S routes.

Also, take a look at the local preference:

"The default local preference of the CE routers and firewalls in our on-premises setup is 100. So, by configuring the local preference of the routes that are received through the ExpressRoute private peerings greater than 100, we can make the traffic that is destined for Azure prefer the ExpressRoute circuit."
Please sign in to rate this answer.
Luke Murray 10,526 Reputation points MVP

2023-02-08T18:35:07.97+00:00

Is the hub preference set to express route?

https://learn.microsoft.com/en-us/azure/virtual-wan/about-virtual-hub-routing-preference
Sign in to comment

1 additional answer

Steven J. Williams 25 Reputation points

2023-02-09T15:03:21.3133333+00:00

The ultimate issue was, even after setting local pref, was an incorrect vnet peering to both Virtual Wan Hub and third-party vendor firewall vnet. Thanks for the help.
Please sign in to rate this answer.
Luke Murray 10,526 Reputation points MVP

2023-02-09T18:28:43.5233333+00:00

Thanks for letting us know, Steven! Glad you got it sorted.
Sign in to comment