VPN Gateway override BGP routes

McGuire, James 20 Reputation points

Hi there,

I'm trying to integrate a third-party firewall into my environment, and I want all traffic sent from Azure across the Express Route Circuit, and all traffic received into Azure from the Express Route Circuit to be directed to the Firewall.

The Express Route circuit is advertising about 85 network ranges to Azure, which are then advertised using BGP to the VPN Gateway, and I asume advertised by the VPN Gateway to the wider Azure infrastructure, which is allowing all of the VNETs to discover the routes?

I am wondering, is it possible to override the BGP routes recieved by the VPN Gateway, and specify a new next-hop of the Firewall IP, so that when they are propagated to the VNets in Azure, I can have them automatically propagate with the correct Hop. Rather than my having to go and create 85 individual UDRs in each VNet?

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,425 questions
Azure ExpressRoute
Azure ExpressRoute
An Azure service that provides private connections between Azure datacenters and infrastructure, either on premises or in a colocation environment.
337 questions
{count} votes

Accepted answer
  1. KapilAnanth-MSFT 38,791 Reputation points Microsoft Employee

    @McGuire, James

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I understand that you would like to configure VPN Gateway to route and receive traffic to a specific NextHop without having to use UDR. (update the BGP settings)

    Let me know if my understanding is incorrect.

    This should be possible with Azure vWAN.

    For a normal Hub-Spoke set up, I am not aware of any resource or a setting in the VPN Gateway that can influence the BGP routes/nextHop learned.

    Or you can use Azure Route Server

    • If your main goal is to eliminate UDRs and your NVA supports BGP, you can peer it with Azure Route Server.
    • But please note that this may require a revamp of your architecture.
    • With ARS, you can make all traffic be forwarded to the NVA
    • And you must configure the NVA to route traffic to the VPN Gateway
    • What is Azure Route Server?

    Kindly let us know if this helps or you need further assistance on this issue.



1 additional answer

Sort by: Most helpful
  1. Priya Kumar 1,096 Reputation points Microsoft Employee

    Hello James,


    Thanks for reaching Q and A platform.


    1.       If the query was to create a force tunneling for then the configuration demands only one Route to be added:

    Azure Firewall forced tunneling | Microsoft Learn

    2.       Since the query is specifically about having a Firewall to route all the Expressroute traffic, then configuration of Secure Hub Firewall with VWAN would be one of the ideal solutions.

    User's image

    Document: Scenario: Azure Firewall custom routing for Virtual WAN - Azure Virtual WAN | Microsoft Learn


    Priya Kumar

    0 comments No comments