VPN Gateway override BGP routes

Question

VPN Gateway override BGP routes

McGuire, James 20

Hi there,

I'm trying to integrate a third-party firewall into my environment, and I want all traffic sent from Azure across the Express Route Circuit, and all traffic received into Azure from the Express Route Circuit to be directed to the Firewall.

The Express Route circuit is advertising about 85 network ranges to Azure, which are then advertised using BGP to the VPN Gateway, and I asume advertised by the VPN Gateway to the wider Azure infrastructure, which is allowing all of the VNETs to discover the routes?

I am wondering, is it possible to override the BGP routes recieved by the VPN Gateway, and specify a new next-hop of the Firewall IP, so that when they are propagated to the VNets in Azure, I can have them automatically propagate with the correct Hop. Rather than my having to go and create 85 individual UDRs in each VNet?

KapilAnanth-MSFT 49,526 Reputation points Microsoft Employee Moderator

2023-05-05T05:03:03.0633333+00:00

@McGuire, James

Reaching out to check if there are any questions on this.

Please let us know if we can be of any further assistance here.

Thanks,

Kapil
KapilAnanth-MSFT 49,526 Reputation points Microsoft Employee Moderator

2023-05-08T07:16:40.6533333+00:00

@McGuire, James

Could you please provide an update on this post?

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Accepted answer

1 additional answer

Your answer

KapilAnanth-MSFT 49,526 Reputation points Microsoft Employee Moderator

2023-05-05T05:03:03.0633333+00:00

@McGuire, James

Reaching out to check if there are any questions on this.

Please let us know if we can be of any further assistance here.

Thanks,

Kapil
KapilAnanth-MSFT 49,526 Reputation points Microsoft Employee Moderator

2023-05-08T07:16:40.6533333+00:00

@McGuire, James

Could you please provide an update on this post?

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Answer 1

KapilAnanth-MSFT 49,526 Microsoft Employee Moderator

@McGuire, James

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to configure VPN Gateway to route and receive traffic to a specific NextHop without having to use UDR. (update the BGP settings)

Let me know if my understanding is incorrect.

This should be possible with Azure vWAN.

Either to a Azure Firewall or a third party NVA
Configure routing policies (through Azure Firewall Manager)
Configure routing policies for network virtual appliances (through Virtual WAN portal)

For a normal Hub-Spoke set up, I am not aware of any resource or a setting in the VPN Gateway that can influence the BGP routes/nextHop learned.

Or you can use Azure Route Server

If your main goal is to eliminate UDRs and your NVA supports BGP, you can peer it with Azure Route Server.
But please note that this may require a revamp of your architecture.
With ARS, you can make all traffic be forwarded to the NVA
And you must configure the NVA to route traffic to the VPN Gateway
What is Azure Route Server?

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil

McGuire, James 20 Reputation points

2023-05-08T22:24:29.9766667+00:00

Thanks for the feedback.

I'm not using vWAN unfortunately, so it looks like ARS would be the only option. I'm a bit confused by the implementation of ARS. From reading the article, it looks like the way I would use it would be to manually populate a BGP route table in the NVA and propagate this to the ARS which would then broadcast the routes onwards to the VNets. This could potentially work for me if that were possible, but would the routes from the NVA -> ARS -> vNETs take precedence over the routes which propragate from the Express Route -> VPN Gateway as I would want them to override the learned routes from the gateway in order to force the vNETs to send traffic to the NVA rather than directly to the VPN Gateway.

0.0.0.0 doesnt apply here as there are multiple network routes advertised over the Expressroute and they would take precedence over any 0.0.0.0 designation. Additionally my 0.0.0.0 route is already set to go via another destination.

Look forward to reading any further feedback in a few days on my return.
KapilAnanth-MSFT 49,526 Reputation points Microsoft Employee Moderator

2023-05-09T05:24:20.8+00:00

@McGuire, James

In Azure, as a general rule of thumb, longest prefix match is preferred.

Now, in case of same range/prefix, the priority is ExpressRoute.

However, if you could advertise a broader range in ExR and a narrow range via NVA, all traffic would flow to the NVA only.

Cheers,

Kapil

Please Accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer.

Here is how
KapilAnanth-MSFT 49,526 Reputation points Microsoft Employee Moderator

2023-05-15T04:31:00.72+00:00

@McGuire, James

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks,

Kapil
McGuire, James 20 Reputation points

2023-05-15T11:12:42.6+00:00

Ok thanks for your response. It sounds like unfortunately it's not going to be possible as the Express Route advertises over 1000 different routes which are managed by a third-party and I wanted to override them with a broader network range which would reduce the route count down to approximately 85 routes. I don't think I'm going to be able to convince the third party to reconfigure the Expressroute routes unfortunately.

Shame there's no way of forcing this to over-ride the Expressroute learned routes.

Answer 2

Hello James,

Thanks for reaching Q and A platform.

1. If the query was to create a force tunneling for 0.0.0.0/0 then the configuration demands only one Route to be added:

Azure Firewall forced tunneling | Microsoft Learn

2. Since the query is specifically about having a Firewall to route all the Expressroute traffic, then configuration of Secure Hub Firewall with VWAN would be one of the ideal solutions.

User's image

Document: Scenario: Azure Firewall custom routing for Virtual WAN - Azure Virtual WAN | Microsoft Learn

Regards,

Priya Kumar

Share via

VPN Gateway override BGP routes

1 additional answer

Your answer