Virtual Wan Routing

Question

Virtual Wan Routing

Steven J. Williams 25

My virtual wan hub is connected to multiple vnets that are running various machines. One of those vnets has a Palo Alto vm series running in it. When it comes to routing what does this look like....Do all vnets know their default route is to the Virtual Wan hub gateways? Does each vnet need a default route to the trusted interface of my palo alto? My virtual wan hub is peering BGP with my palo alto, my palo alto is redistributing the default (0.0.0.0/0) route into BGP, why is my virtual wan routers not learning this route and propagating to all vnets?

Do the vnets need to be peered with my firewall vnet as well as the virtual wan hub?

Is there a way to see what routes the virtual wan gateways are learning from my palo alto via bgp?

KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2023-02-13T06:08:18.7333333+00:00

@Steven J. Williams

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to advertise default route to vHub using NVA as BGP Peering.

You should be able to check the effective routes of a particular VNet connection by checking the Effective Routes section under the vHub and selecting the RouteTable associated with the VnetConnection

For the entire vHub, you should use the defaultRouteTable.

The route should look something like, BGP Transit VNet connectivity

Can you please check and let me know if there is a nextHop for the route 0.0.0.0/0 here?

Cheers,

Kapil
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2023-02-14T05:58:20.8+00:00

@Steven J. Williams

May I know if you got a chance to review my previous comment?

Please let me know if you are facing any challenges or if there are any follow-up questions, I shall be glad to address them.

Thanks,

Kapil

2 answers

Your answer

KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2023-02-13T06:08:18.7333333+00:00

@Steven J. Williams

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to advertise default route to vHub using NVA as BGP Peering.

You should be able to check the effective routes of a particular VNet connection by checking the Effective Routes section under the vHub and selecting the RouteTable associated with the VnetConnection

For the entire vHub, you should use the defaultRouteTable.

The route should look something like, BGP Transit VNet connectivity

Can you please check and let me know if there is a nextHop for the route 0.0.0.0/0 here?

Cheers,

Kapil
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2023-02-14T05:58:20.8+00:00

@Steven J. Williams

May I know if you got a chance to review my previous comment?

Please let me know if you are facing any challenges or if there are any follow-up questions, I shall be glad to address them.

Thanks,

Kapil

Answer 1

Kristoffer 11

This will be rather complex. If I’m understanding correctly your Palo is not within your vHub, but you still wish to route all traffic through The Palo? If so you need to use Source NAT On Palo which can lead to some challenges On your apps. But it is possible.

You need to create a route table in vWAN to distribute to other vNets with a default route to The tursted interface of Palo, source NAT and have return routes based On that source back into The other vNets

Or you could Peer all The othe vNets only to The vNet with Palo and have only The vNet with palo peered to vHub. This requires more work with UDR but you don’t need Source NAT and it is a lot cleaner network wise

Steven J. Williams 25 Reputation points

2023-02-13T05:11:34.9633333+00:00

Source NAT is nothing more than PAT or NAT overload for egress traffic to the internet. If all vnets are peered to the vhub, they wont ever pass through the firewall to talk to each other.

These are assumptions based on my real world networking exp and this voodoo magic networking in Azure. lol

What benefit do you get from peering all the vnets to the palo vnet and then just peering the palo vnet to the vhub?

How would you get your palo alto in your vhub per say?

my vHub as a default route table and the 0.0.0.0/0 route is pointed to the trust interface IP of the palo. I can see pings in my palo from my machines but cannot get out to the internet.
Steven J. Williams 25 Reputation points

2023-02-13T05:11:48.6+00:00

Also why is my vHub router not learning the default route my palo alto is advertising to it? I see the 0.0.0.0/0 network in the Rib-out on the palo to each gateway in the hub but dont see it in the hub default route table?

Answer 2

I think I understand the setup here, you have a vWAN HUB terminating probably VPN and/or ExpressRoute
All vNets are peered to the vHUB

The Palo is intended to filter all traffic to- and from on-premise and between vNets?

I suggest looking at this documentation for such scenarios:

https://learn.microsoft.com/en-us/azure/virtual-wan/scenario-route-through-nvas-custom

You need to decide if you wish to use the NVA vNet as a HUB where the NVA vnet is the only one peered to the vHub and the rest of the spoke-vNets are connected only to the NVA vNet. This will be the easiest solution and will require less work with routing and NAT. See the documention for this scenario here:

https://learn.microsoft.com/en-us/azure/virtual-wan/scenario-route-through-nva

Or you could keep all the vNets peered to the vHUB and use managed routes in vHUB to force all traffic through the NVA cluster, but due to the routing here this will require source NAT on the NVAs to allow forwarded traffic not to bee route-looped back to the NVA. e.g

You must also decide if internet egress traffic should be directed out through the NVA to internet

For the second setup:

vHUB 10.0.0.0/24

NVA vNet 10.1.0.0/24

Spoke1 vNet 10.2.0.0/24

Spoke2 vNet 10.3.0.0/24

Routes in vHUB propagated to Spoke1 and Spoke2

0.0.0.0/0 - NextHop - Virtual Appliance NVA Load Balancer IP

Routes propagated to NVA vNet

10.2.0.0/24 - vNet peering Spoke1

10.3.0.0/24 - vNet peering Spoke2

The easiest way to check effective routes is to provision a VM in a spoke vNet and check effective routes on the NIC of the VM

Share via

Virtual Wan Routing

2 answers

Your answer