multiple express route circuits question

Van Campenhout, Carl 0 Reputation points
2023-05-04T06:39:14.1066667+00:00

I have a customer who uses an express route (ER Gateways & provider circuit) to connect his on-prem to Azure. The ER is backed by a VPN solution (on VPN gatways), that kicks in when the circuit fails (BGP). The traffic is routed into a hub&spoke design, and full access is given to the spoke vnets via vnet peering and gateway route propagation. So far, so good .

Now, we would like to connect a partner of this customer via another express route circuit. However, we want to screen the partner traffic via a firewall instance in our azure hub (NVA). The question is how I can force the traffic from this circuit into the NVA. Am I able to do this and how, without altering the flow from on-prem? Can/must I install a second set of ER gateways in order to control this flow (and is this supported)? can I transit from on-prem to this partner via the Azure hub? (ER - azure - ER)? I couldn't find such a use case :(

thanks,

Carl.

Azure ExpressRoute
Azure ExpressRoute
An Azure service that provides private connections between Azure datacenters and infrastructure, either on premises or in a colocation environment.
323 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. KapilAnanth-MSFT 35,001 Reputation points Microsoft Employee
    2023-05-04T09:48:32.6966667+00:00

    @Van Campenhout, Carl

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I understand that you have a single ExpressRoute circuit and a VNet connected to this.

    Now, You want to connect this VNet to a different ExpressRoute circuit (of partner's)

    Let me know if my understanding is incorrect

    Wrt your questions,

    1.we would like to connect a partner of this customer via another express route circuit

    • A single VNet can be connected to different Circuits. So this is technically feasible.
      • Provided the SKU of ExR Gateway and ExR circuit support it
      • Check Gateway Support here
      • Check Circuit support here

    2.Can/must I install a second set of ER gateways in order to control this flow

    • Since you can connect a single gateway to multiple circuits, You do not have to install a second set of ER gateway.
    • A Vnet can only have one ExR Gateway at any given instant.

    3.can I transit from on-prem to this partner via the Azure hub?

    • Generally, this requirement is met by using ExpressRoute Global Reach
    • The above works for configurations having two different gateways and respective Vnets.
    • For a single gateway connected to multiple expressRoute circuits, - I will be required to check internally if BGP propagation would happen or not.
    • However, even in your scenario, you should be able to use Global Reach for OnPrem --- Partner transit

    4.we want to screen the partner traffic via a firewall instance in our azure hub (NVA)

    • You will be able to do this.
    • But again, since we have only one Gateway, all the traffic (OnPREM and Partner ) needs to be sent to the Firewall NVA.
    • For Partner to Azure
      • Attach a Route table on the Gateway Subnet and forward the traffic with Vnet's range as destination to the Firewall.
      • In the firewall, if the source is from Customer ---> Allow, and if the source is from Partner ---> Validate and the Allow or Deny traffic
      • Similarly, for Azure to Partner
      • Attach a Route table on the VMs and forward the traffic with both Customer's and Partner's range as destination to the Firewall.
      • NOTE : Having only Partner's range as destination would result in asymmetric routing. However, it might work even though it's not recommended.
      • From Firewall, traffic would flow to the Gateway subnet because of system routes.
      I hope I was able to address your queries. These documents may come handy: ExpressRoute Routing Kindly let us know if this helps or you need further assistance on this issue. Thanks, Kapil

    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.