Site-to-Site VPN connection over ExpressRoute private peering - how to prevent tunnel from flapping?

Nick 0 Reputation points
2023-03-21T04:45:52.7733333+00:00

Hello,

I am following the instructions here: https://learn.microsoft.com/en-us/azure/vpn-gateway/site-to-site-vpn-private-peering

There are two sections referring to how to prefer routing over the VPN path vs ExpressRoute:

Traffic from on-premises networks to Azure

For traffic from on-premises networks to Azure, the Azure prefixes are advertised via both the ExpressRoute private peering BGP, and the VPN BGP. The result is two network routes (paths) toward Azure from the on-premises networks:

• One network route over the IPsec-protected path.

• One network route directly over ExpressRoute without IPsec protection.

To apply encryption to the communication, you must make sure that for the VPN-connected network in Figure 1, Azure routes via the on-premises VPN gateway are preferred over the direct ExpressRoute path.

My issue is the following:

Since Azure advertises all VNET ranges over both ExpressRoute and VPN (including the subnet used for the VPN GW Private IPs) how do I prevent the tunnels from flapping continuously ? My Vnet range is 10.0.0.0/16 and I have 2 subnets (10.0.0.0/24) and 10.0.1.0/24 (for the GW IPs).

On-prem I am only advertising the VPN tunnel GW IPs over the Expressroute connection so that I can build the VPN over ExpressRoute. Inside the tunnel I advertise my on-prem ranges.

If I receive the prefix for my tunnel endpoint on both the expressroute underlay and the VPN overlay (I receive 10.0.0.0/16), traffic will ECMP across from on-prem to Azure and collapse the tunnel over and over again from the on-prem side.

How do I prevent Azure from advertising the VPN GW private IPs over the VPN connection (and only over ExpressRoute). I understand I can't setup any prefix lists, are there any other option to exclude this range (10.0.1.0/24).

Thanks,

Nick

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,513 questions
Azure ExpressRoute
Azure ExpressRoute
An Azure service that provides private connections between Azure datacenters and infrastructure, either on premises or in a colocation environment.
364 questions
{count} votes

2 answers

Sort by: Most helpful
  1. risolis 8,721 Reputation points
    2023-03-21T05:13:37.72+00:00

    Hello @Nick

    Thank you for posting this concern on this community space.

    I was reading your case scenario description and I would like to share the following points below:

    -Please read this relevant note:

    User's image

    -Direct yourself to this link:

    https://learn.microsoft.com/en-us/azure/virtual-network/manage-route-table#create-a-route-table

    I hope that can be useful for you.

    Looking forward to your feedback,

    Cheers,

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

  2. KapilAnanth-MSFT 44,311 Reputation points Microsoft Employee
    2023-03-21T05:54:03.5433333+00:00

    @Nick

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I understand that you are in the middle of configuring IPSEC over ExpressRoute.

    As of now,

    • We do not have an option to control the BGP prefixes advertised from VNet to the OnPrem.
    • The entire VNet range will be advertised and this is by design.

    Now, in your case,

    • You must configure your OnPrem to prefer VPN over the ExpressRoute.
    • This can be done by not using ECMP and giving a higher precedence to the VPN connection/device from your end.
    • Or by advertising a more specific range over the VPN Connection from your end. Doing so, Azure will always prefer this path.
    • For e.g. if your OnPrem VPN device has a private IP of 10.5.0.1, then advertising individual ranges, such as 10.5.0.0/24, 10.5.1.0/24 via VPN Connection should make the VPN path the preferred connection.

    I see you are advertising a more specific range via ExpressRoute, I believe this the issue.

    Rather, advertising a wider range in the ExpressRoute and advertising a narrow range via the VPN once it has been established, should resolve this.

    User's image

    Kindly let us know if this helps or you need further assistance on this issue.

    Thanks,

    Kapil


    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.