Hello,
I am following the instructions here: https://learn.microsoft.com/en-us/azure/vpn-gateway/site-to-site-vpn-private-peering
There are two sections referring to how to prefer routing over the VPN path vs ExpressRoute:
Traffic from on-premises networks to Azure
For traffic from on-premises networks to Azure, the Azure prefixes are advertised via both the ExpressRoute private peering BGP, and the VPN BGP. The result is two network routes (paths) toward Azure from the on-premises networks:
• One network route over the IPsec-protected path.
• One network route directly over ExpressRoute without IPsec protection.
To apply encryption to the communication, you must make sure that for the VPN-connected network in Figure 1, Azure routes via the on-premises VPN gateway are preferred over the direct ExpressRoute path.
My issue is the following:
Since Azure advertises all VNET ranges over both ExpressRoute and VPN (including the subnet used for the VPN GW Private IPs) how do I prevent the tunnels from flapping continuously ? My Vnet range is 10.0.0.0/16 and I have 2 subnets (10.0.0.0/24) and 10.0.1.0/24 (for the GW IPs).
On-prem I am only advertising the VPN tunnel GW IPs over the Expressroute connection so that I can build the VPN over ExpressRoute. Inside the tunnel I advertise my on-prem ranges.
If I receive the prefix for my tunnel endpoint on both the expressroute underlay and the VPN overlay (I receive 10.0.0.0/16), traffic will ECMP across from on-prem to Azure and collapse the tunnel over and over again from the on-prem side.
How do I prevent Azure from advertising the VPN GW private IPs over the VPN connection (and only over ExpressRoute). I understand I can't setup any prefix lists, are there any other option to exclude this range (10.0.1.0/24).
Thanks,
Nick