Default route pointing to VPN Gateway connection

Question

Default route pointing to VPN Gateway connection

Anonymous

I have an Azure VPN Gateway with an IPSec VPN connection to a remote vpn server. The internal vpn interface is on a GatewaySubnet (zone redundant). I can get the tunnel to come up with the remote server but only see inbound traffic on the Azure side, never any outbound. It's as if the traffic comes in and gets lost. Given the routing that I'm trying to pull off with this configuration, this seems plausible. I need all traffic on the Azure VNet (on which the Azure VPN Gateway resides) to be routed to the remote end of the vpn tunnel. If I associate the GatewaySubnet to a route table, Azure doesn't allow that route table to have a default route. This is true even if the default route type is 'Virtual Network gateway'. I tried with a more specific route but it doesn't impact the one-way traffic described above. All routing is static. How can I establish a default route from VNet subnet(s) -> GatewaySubnet -> Azure VPN Gateway -> Remote VPN endpoint?

KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2023-04-11T03:57:50.03+00:00
@Anonymous

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well. I understand that you would like to establish routing between VPN Gateway VNet's subnets and OnPrem.

User-defined routes with a 0.0.0.0/0 destination and NSGs on the GatewaySubnet are not supported. This is by design and we cannot modify this behavior.

Do you want to send Internet traffic to OnPrem?

Can you confirm OnPrem address ranges are routed properly with the current configuration?

Can you try with associating the Route Table to the subnets of the VNet and not the GatewaySubnet itself?

Also, the on-premises VPN device must be configured using 0.0.0.0/0 as traffic selectors.

Refer : Configure forced tunneling. Let me know if the above helps.

Cheers, Kapil
Anonymous

2023-04-11T12:54:15.46+00:00

I tried breaking the 0.0.0.0/0 route down into two /1 routes as a workaround. This should have the same effect as a default route. Azure accepts it but I still have one-way traffic. Based on your response, it sounds like the GatewaySubnet should not be part of the route table? When using a route type of 'virtual network gateway', is there some kind of black magic involved? How does it know which connection to send the traffic down? Is there a way to add static routes to specific connections that maybe I'm overlooking?
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2023-04-11T13:28:43.31+00:00
@Anonymous

Attaching 0.0.0.0/1 and 128.0.0.0/1 routes to the GatewaySubnet will not work either.

The NextHopType as VirtualNetworkGateway forces Traffic from VMs to the VPN Gateway.

From the gateway, the connection is selected based on Traffic Selectors.

Wrt, How does it know which connection to send the traffic down?

That is why we mentioned the on-premises VPN device must be configured using 0.0.0.0/0 as traffic selectors.

Wrt, Is there a way to add static routes to specific connections that maybe I'm overlooking?

The -GatewayDefaultSite is the cmdlet parameter that allows the forced routing configuration to work, so take care to configure this setting properly.

Refer Set-AzVirtualNetworkGatewayDefaultSite

Refer to Step 8 in Configure forced tunneling

$LocalGateway = Get-AzLocalNetworkGateway -Name "DefaultSiteHQ" -ResourceGroupName "ForcedTunneling" $VirtualGateway = Get-AzVirtualNetworkGateway -Name "Gateway1" -ResourceGroupName "ForcedTunneling" Set-AzVirtualNetworkGatewayDefaultSite -GatewayDefaultSite $LocalGateway -VirtualNetworkGateway $VirtualGateway

Cheers,

Kapil
Anonymous

2023-04-11T15:34:17.5833333+00:00

Thanks for the help so far. One final question: Should GatewaySubnet be in the route table with the other subnets. I seem to think this is necessary so that other subnets can reach the private IP of the VPN Gateway. Maybe setting the route types as 'Virtual Network Gateway' means this isn't needed, though?
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2023-04-12T12:54:32.89+00:00
@Anonymous Should GatewaySubnet be in the route table with the other subnets

NO, GatewaySubnet should have any route table associated to it

In the other subnets, setting the RouteTable as 0.0.0.0/0 ---> VirtualNetworkGateway will forward default traffic to the VPN Gateway (GatewaySubnet).

From VPN Gateway to your OnPrem, this routing happens based on the negotiated Traffic Selectors.

So, the traffic will be sent into Tunnel which advertises 0.0.0.0/0

No need for RouteTable here

Kindly let us know if this works? Cheers, Kapil
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2023-04-13T14:57:23.5266667+00:00

@Anonymous

I have summarized our discussion and posted it as an answer for a better visibility across community

I would greatly appreciate if you could accept the answer and close this thread.

Cheers,

Kapil
GitaraniSharma-MSFT 50,021 Reputation points Microsoft Employee Moderator

2023-05-11T13:26:20.0633333+00:00

@Anonymous , Just checking in to see if you had a chance to see the below answer. To help the community find the right answers, please do mark the post which was helpful by clicking on Accept Answer.

And, if you have any further questions do let us know.

1 answer

Your answer

KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2023-04-11T03:57:50.03+00:00

@Anonymous

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well. I understand that you would like to establish routing between VPN Gateway VNet's subnets and OnPrem.

User-defined routes with a 0.0.0.0/0 destination and NSGs on the GatewaySubnet are not supported. This is by design and we cannot modify this behavior.

Do you want to send Internet traffic to OnPrem?

Can you confirm OnPrem address ranges are routed properly with the current configuration?

Can you try with associating the Route Table to the subnets of the VNet and not the GatewaySubnet itself?

Also, the on-premises VPN device must be configured using 0.0.0.0/0 as traffic selectors.

Refer : Configure forced tunneling. Let me know if the above helps.

Cheers, Kapil
Anonymous

2023-04-11T12:54:15.46+00:00

I tried breaking the 0.0.0.0/0 route down into two /1 routes as a workaround. This should have the same effect as a default route. Azure accepts it but I still have one-way traffic. Based on your response, it sounds like the GatewaySubnet should not be part of the route table? When using a route type of 'virtual network gateway', is there some kind of black magic involved? How does it know which connection to send the traffic down? Is there a way to add static routes to specific connections that maybe I'm overlooking?
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2023-04-11T13:28:43.31+00:00

@Anonymous

Attaching 0.0.0.0/1 and 128.0.0.0/1 routes to the GatewaySubnet will not work either.

The NextHopType as VirtualNetworkGateway forces Traffic from VMs to the VPN Gateway.

From the gateway, the connection is selected based on Traffic Selectors.

Wrt, How does it know which connection to send the traffic down?

That is why we mentioned the on-premises VPN device must be configured using 0.0.0.0/0 as traffic selectors.

Wrt, Is there a way to add static routes to specific connections that maybe I'm overlooking?

The -GatewayDefaultSite is the cmdlet parameter that allows the forced routing configuration to work, so take care to configure this setting properly.

Refer Set-AzVirtualNetworkGatewayDefaultSite

Refer to Step 8 in Configure forced tunneling

$LocalGateway = Get-AzLocalNetworkGateway -Name "DefaultSiteHQ" -ResourceGroupName "ForcedTunneling" $VirtualGateway = Get-AzVirtualNetworkGateway -Name "Gateway1" -ResourceGroupName "ForcedTunneling" Set-AzVirtualNetworkGatewayDefaultSite -GatewayDefaultSite $LocalGateway -VirtualNetworkGateway $VirtualGateway

Cheers,

Kapil
Anonymous

2023-04-11T15:34:17.5833333+00:00

Thanks for the help so far. One final question: Should GatewaySubnet be in the route table with the other subnets. I seem to think this is necessary so that other subnets can reach the private IP of the VPN Gateway. Maybe setting the route types as 'Virtual Network Gateway' means this isn't needed, though?
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2023-04-12T12:54:32.89+00:00

@Anonymous Should GatewaySubnet be in the route table with the other subnets

NO, GatewaySubnet should have any route table associated to it

In the other subnets, setting the RouteTable as 0.0.0.0/0 ---> VirtualNetworkGateway will forward default traffic to the VPN Gateway (GatewaySubnet).

From VPN Gateway to your OnPrem, this routing happens based on the negotiated Traffic Selectors.

So, the traffic will be sent into Tunnel which advertises 0.0.0.0/0

No need for RouteTable here

Kindly let us know if this works? Cheers, Kapil
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2023-04-13T14:57:23.5266667+00:00

@Anonymous

I have summarized our discussion and posted it as an answer for a better visibility across community

I would greatly appreciate if you could accept the answer and close this thread.

Cheers,

Kapil
GitaraniSharma-MSFT 50,021 Reputation points Microsoft Employee Moderator

2023-05-11T13:26:20.0633333+00:00

@Anonymous , Just checking in to see if you had a chance to see the below answer. To help the community find the right answers, please do mark the post which was helpful by clicking on Accept Answer.

And, if you have any further questions do let us know.

Answer 1

@Anonymous

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well. I understand that you would like to establish routing between VPN Gateway VNet's subnets and OnPrem.

User-defined routes with a 0.0.0.0/0 destination and NSGs on the GatewaySubnet are not supported. This is by design and we cannot modify this behavior.

Should you require forced tunneling,

The NextHopType as VirtualNetworkGateway forces Traffic from VMs to the VPN Gateway.
From the gateway, the connection is selected based on Traffic Selectors.
Wrt, How does it know which connection to send the traffic down?
That is why we mentioned the on-premises VPN device must be configured using 0.0.0.0/0 as traffic selectors.
Wrt, Is there a way to add static routes to specific connections that maybe I'm overlooking?
The -GatewayDefaultSite is the cmdlet parameter that allows the forced routing configuration to work, so take care to configure this setting properly.
Refer Set-AzVirtualNetworkGatewayDefaultSite
Refer to Step 8 in Configure forced tunneling

$LocalGateway = Get-AzLocalNetworkGateway -Name "DefaultSiteHQ" -ResourceGroupName "ForcedTunneling"
$VirtualGateway = Get-AzVirtualNetworkGateway -Name "Gateway1" -ResourceGroupName "ForcedTunneling"
Set-AzVirtualNetworkGatewayDefaultSite -GatewayDefaultSite $LocalGateway -VirtualNetworkGateway $VirtualGateway

P.S: Attaching 0.0.0.0/1 and 128.0.0.0/1 routes to the GatewaySubnet will not work either.

Additional points to be aware of

In all the subnets except GatewaySubnet, setting the RouteTable as 0.0.0.0/0 ---> VirtualNetworkGateway will forward default traffic to the VPN Gateway (GatewaySubnet).
From VPN Gateway to your OnPrem, this routing happens based on the negotiated Traffic Selectors.
So, the traffic will be sent into Tunnel which advertises 0.0.0.0/0
No need for RouteTable here

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Share via

Default route pointing to VPN Gateway connection

1 answer

Your answer