In a Hub and Spoke architecture, what is the limit of network prefixes learned by Hub?

Question

In a Hub and Spoke architecture, what is the limit of network prefixes learned by Hub?

Cristiano da Silva Azevedo 21

Hello guys,

My question is about ad limits learned in peering between VNETs..

Considering that I can have 1000 private endpoints per VNET, and each of them generates a /32 route to Hub, I would like to know how the limit of routes learned by the Hub would be handled. Please consider a scenario with multiple Spokes making use of hundreds of private endpoints.

I found the documentation below but it wasn't clear to me:

https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=%2Fazure%2Fvirtual-network%2Ftoc.json#networking-limits

KapilAnanth-MSFT 14,376 Reputation points Microsoft Employee

2023-05-23T17:20:20.9766667+00:00

@Cristiano da Silva Azevedo

Just checking in to see if you got a chance to review my previous comment.

If this answer has addressed your query, please "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread.

And, if you have any further query do let us know.

Thanks,

Kapil
KapilAnanth-MSFT 14,376 Reputation points Microsoft Employee

2023-05-24T09:26:18.42+00:00

@Cristiano da Silva Azevedo

Greetings.

Request you to accept the answer and close this thread.

Cheers,

Kapil

KapilAnanth-MSFT 14,376 Reputation points Microsoft Employee

2023-05-23T17:20:20.9766667+00:00

@Cristiano da Silva Azevedo

Just checking in to see if you got a chance to review my previous comment.

If this answer has addressed your query, please "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread.

And, if you have any further query do let us know.

Thanks,

Kapil
KapilAnanth-MSFT 14,376 Reputation points Microsoft Employee

2023-05-24T09:26:18.42+00:00

@Cristiano da Silva Azevedo

Greetings.

Request you to accept the answer and close this thread.

Cheers,

Kapil

Answer 1

KapilAnanth-MSFT 14,376 Microsoft Employee

@Cristiano da Silva Azevedo

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to know the limits regarding no. of routes advertised and learned between a VNet Peering.

I am afraid I did not understand the part, "each of them generates a /32 route to Hub".

I am not aware of this observation.
What actually happens when you create a Private Endpoint in any virtual network is that the default route table of the subnet in which it is created, includes a /32 route with a next hop type of InterfaceEndpoint, not Hub
- And this is done so that the PE's NIC resource can communicate to the PaaS resource (this is all abstracted)
And as for limits for the number of routes learned between Vnets in a Peering, there are no limits
The entire address range of the Spoke VNet will be learned by the Hub VNet should they be connected by VNet Peering.

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Cristiano da Silva Azevedo 21 Reputation points

2023-05-17T17:06:42.6866667+00:00

Very grateful for your interest in the topic...

"I am afraid I did not understand the part", each of them generates a /32 route to Hub.

I've seen it happen and it's also documented lol

I've seen over 100x /32 prefixes learned by Hub through Spoke peering where the private endpoint was provisioned.

If you enable network security policies for User-Defined Routes, the /32 routes that are generated by the private endpoint and propagated to all the subnets in its own VNet and directly peered VNets will be invalidated if you have User-Defined Routing, which is useful if you want all traffic (including traffic addressed to the private endpoint) to go through a firewall, since otherwise the /32 route would bypass any other route."

https://learn.microsoft.com/en-us/azure/private-link/disable-private-endpoint-network-policy?tabs=network-policy-portal

Since I have the answer below, I'm satisfied, however, could you share the Microsoft documentation that mentions this?

o And as for limits for the number of routes learned between Vnets in a Peering, there are no limits

Thank you very much
KapilAnanth-MSFT 14,376 Reputation points Microsoft Employee

2023-05-22T13:12:16.84+00:00
@Cristiano da Silva Azevedo

Apologies for the delay in my response.

What I mean is,

Each Private EndPoint will create a /32 route with a next hop type of InterfaceEndpoint, not Hub

This /32 route, will be, in turn advertised to the Hub Vnet and other Peered VNets from the Spoke VNet.

I would'nt say "generates a /32 route to Hub" as this ambiguous and will lead to confusion.

Now, with respect to Limits,

The Azure platform is designed to accommodate all the Default system routes created with all combinations.

Of course there should be a hard limit set on platform, however, this limit is huge and is not documented publicly.

I shall try to get the rough number internally and share it here, if that's something we can share publicly.

Cheers,

Kapil

Cristiano da Silva Azevedo 21

Sorry, I should have written that it generates a /32 route on directly peered VNETs (eg Hub). Once again thank you very much for the support.

KapilAnanth-MSFT 14,376 Reputation points Microsoft Employee

2023-05-22T13:24:55.45+00:00

@Cristiano da Silva Azevedo

No problem :)

Meanwhile, I would highly appreciate if you could "Accept the answer" if this has helped you

Original posters help the community find answers faster by identifying the correct answer.

Here is how

Cheers,

Kapil

In a Hub and Spoke architecture, what is the limit of network prefixes learned by Hub?

0 additional answers

Activity