Default Route vHub SDWAN NVA to Security NVA

Caldeira Coutinho Diogo 20 Reputation points


We have a vHub with only defaultRouteTable.

Regarding S2S Peers routing:

This vHub has multiple S2S connection peers - some with BGP, some with traffic selectors.
None have the 'Propagate Default Route' option enabled.

Will an UDR to another NVA configured in vHub defaultRouteTable be propagated to all S2S peers?

What mechanism is used by vHub to filter out route?

Regarding vHub SDWAN NVA to Security NVA routing:

We have vHub peering with a Security vNet NVA. Static routing between this NVA and vHub. Currently, no route is configured.

If we deploy SDWAN NVA inside vHub, how can we have SDWAN branches connect to the Internet via this SDWAN NVA, then through the Security vNet NVA?

Best Regards,


Azure Virtual WAN
Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
199 questions
0 comments No comments
{count} votes

Accepted answer
  1. VasimTamboli 4,775 Reputation points

    Hello Caldeira Coutinho Diogo,

    Regarding your questions about routing in Azure Virtual WAN:

    S2S Peers Routing: If your vHub has multiple S2S connection peers, each with different routing configurations, and none of them have the 'Propagate Default Route' option enabled, the route (default route) will not be automatically propagated to these S2S peers. Without the propagation of the default route, the S2S peers will not receive the route to send traffic destined for the internet.

    Filtering Route in vHub: The vHub employs a mechanism to filter out the route. By default, the vHub's route table does not allow the propagation of the default route to the connected S2S peers. This is done to avoid accidentally sending all the traffic from the S2S peers to the internet through the vHub. The default behavior is to rely on explicit routing configurations for traffic forwarding.

    Routing from SDWAN NVA to Security NVA: To enable the SDWAN branches to connect to the internet via the SDWAN NVA within the vHub and then through the Security vNet NVA, you need to configure routing accordingly. Here's a suggested approach:

    a. Deploy the SDWAN NVA inside the vHub. b. Configure the SDWAN NVA with a default route ( pointing towards the Security vNet NVA. c. In the Security vNet, configure the necessary routing to forward traffic from the SDWAN NVA to the internet.

    By setting up the routing as described above, the SDWAN branches will send their internet-bound traffic to the SDWAN NVA within the vHub. The SDWAN NVA will then forward the traffic to the Security vNet NVA, which will further route it to the internet.

    Please note that the specific configuration steps may vary depending on the NVA devices you are using and their capabilities. It's recommended to consult the documentation or support resources provided by the NVA vendors for detailed guidance on setting up this routing scenario.

    0 comments No comments

0 additional answers

Sort by: Most helpful