Not getting internet once I apply a route table with destination 0.0.0.0/0 with next hop virtual network gateway

Question

Not getting internet once I apply a route table with destination 0.0.0.0/0 with next hop virtual network gateway

Anurag M 0

Hi Team,

I have a azure connectivity with express route from onpremises

and having two Vnets in Azure

Vnet1 which has VPN gateway deployed
Vnet2 peered with Vnet1 and having all my VM's
created a subnet2 on Vnet2

I would like to route all my internet access of Vnet2 (from subnet2 in vnet2) towards my on premises firewall.

I have applied a route table on subnet 2 with below configuration

Address prefix : 0.0.0.0/0

Next hop type : VirtualNetworkGateway

problem here is outbound internet is not working once I apply a route table on subnet and effective routes shows this way from VM nic interface:

Note: All private network is routed and able to see in the onprem firewall but the public routes are not reaching to onpremises firewall

Capture

Can you please help me how to route entire internet to onpremises firewall

Regards,

Anurag,

Answer 1

ChaitanyaNaykodi-MSFT 15,806 Microsoft Employee

@Anurag M

Welcome to the Microsoft Q&A Forum.

As documented here you must use BGP to advertise on-premises routes to the Microsoft Edge router. You can't specify a virtual network gateway created as type ExpressRoute in a user-defined route because with ExpressRoute, you must use BGP for custom routes.

User's image

This User Defined Route from your screenshot above is not supported.

You must use BGP to advertise on-premises routes to the Microsoft Edge router. You can't create user-defined routes to force traffic to the ExpressRoute virtual network gateway if you deploy a virtual network gateway deployed as type: ExpressRoute. In this case you will have to advertise a route with the 0.0.0.0/0 prefix via BGP.

As documented here default routes are permitted only on Azure private peering sessions. In such a case, ExpressRoute routes all traffic from the associated virtual networks to your network.

Just an FYI Advertising default routes will break Windows and other VM license activation. For information about a work around, see use user defined routes to enable KMS activation.

Hope this helps! Please let me know if you have any additional questions. Thank you!

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Anurag M 0 Reputation points

2023-08-30T05:53:51.4466667+00:00

Hi ChaitanyaNaykodi-MSFT,

Thank you so much for detailed information, If we can not route the default 0.0.0.0/0 to virtual network gateway which is blocking the internet

as suggested in BGP , can you guide me where exactly I can configure to route all my internet traffic towards onprem fortigate firewall

the route I am looking for is

outbound internet>express route gateway>onprem fortigate firewall which is providing internet

I need some guidance on BGP to advertise on-premises routes to the Microsoft Edge router. and also not getting option to check the routes on VPN gateway , is there any other method to check the routing details on Virtual network gateway .

for a note I am able to check routes on network interface of VM but not able to check on Virtual network gateway to check the public request is reaching to gateway or not

If I am looking for the case which is not possible please suggest with right approach

all my requirement is when I access internet from the vm from spoke subnet it should route to onprem firewall beyond equinix instead of default system routed Internet

Regards,

Anurag
ChaitanyaNaykodi-MSFT 15,806 Reputation points Microsoft Employee

2023-08-31T02:34:19.99+00:00

@Anurag M

Thank you for getting back.

Based on your questions above.

I need some guidance on BGP to advertise on-premises routes to the Microsoft Edge router. and also not getting option to check the routes on VPN gateway , is there any other method to check the routing details on Virtual network gateway .

You can run this PowerShell Command Get-AzVirtualNetworkGatewayLearnedRoute to get the routes learned by an Azure virtual network gateway. You can use Azure Cloud Shell to run this command from Azure Portal.

as suggested in BGP , can you guide me where exactly I can configure to route all my internet traffic towards onprem fortigate firewall

You should advertise this default route (0.0.0.0/0) from your on-prem BGP peered device which will direct the traffic to the on-prem FortiGate firewall. Currently we have this document which has few examples on how to set up prefixes to be advertised over the BGP session for the on-prem device. As this is an on-prem setting you can reach out to your provider or the on-prem device vendor for additional details and exact commands.

Hope this helps! Please let me know if you have any additional questions and we will continue with our discussion. Thank you!

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Anurag M 0 Reputation points

2023-08-31T21:12:57.7266667+00:00

@ChaitanyaNaykodi-MSFT

Hi Thank you somuch for the details,

Changes I have done is:

removed the route table 0.0.0.0/0 with next hopto Vitual network Gateway

now the internet is routed to system defined Internet and it is not passwing through express routes

but I have observed that the express route circuit learned the routes of 0.0.0.0/8 to equinix private peeing BGP IP address

and when I check the on premises fortigate firewall the route is showing as 0.0.0.0/0

can you please help why the 0.0.0.0/0 route is not showing in azure express route circuit and it is showing in onprem fortigate routes

Regards,

Abhilash
ChaitanyaNaykodi-MSFT 15,806 Reputation points Microsoft Employee

2023-08-31T23:55:21.1166667+00:00

@Anurag M

Thank you for getting back.
Based on the statement above

but I have observed that the express route circuit learned the routes of 0.0.0.0/8 to equinix private peeing BGP IP address

Actually, not exactly sure why a default route 0.0.0.0/0 will be advertised as 0.0.0.0/8. To troubleshoot the exact issue I think we will need specialized 1:1 session, where a support engineer can have a screen share session to pin point the issue. If you have a support plan you may file a support ticket, else could you please send an email to azcommunity@microsoft.com with the below details.

Subject : Attn Chaitanya

Thread URL: Link to this thread.

Subscription ID

Please let me know once you have done the same.
Anurag M 0 Reputation points

2023-09-25T15:19:59.04+00:00

Hi Chaitanya,

Thanks a lot for your help, I have removed the UDR (static route) on Subnet which was applied through route table and able to get internet routing towards on-premises firewall but now I am facing another issue

on the effective routes of network interface it is showing two different next hops for each address space:

Example:

Address Prefix Next hope Next hop IP address

0.0.0.0/0 Virtual network gateway 10.X.X.33

0.0.0.0/0 Virtual network gateway 10.X.X.34

It is not only for default prefix for all the routes it shows the two different Next hop IP address

Is this expected behavior ?

Regards,

Anurag

Answer 2

Hi ChaitanyaNaykodi-MSFT,

Thank you so much for detailed information, If we can not route the default 0.0.0.0/0 to virtual network gateway which is blocking the internet

as suggested in BGP , can you guide me where exactly I can configure to route all my internet traffic towards onprem fortigate firewall

the route I am looking for is

outbound internet>express route gateway>onprem fortigate firewall which is providing internet

I need some guidance on BGP to advertise on-premises routes to the Microsoft Edge router. and also not getting option to check the routes on VPN gateway , is there any other method to check the routing details on Virtual network gateway .

for a note I am able to check routes on network interface of VM but not able to check on Virtual network gateway to check the public request is reaching to gateway or not

If I am looking for the case which is not possible please suggest with right approach

all my requirement is when I access internet from the vm from spoke subnet it should route to onprem firewall beyond equinix instead of default system routed Internet

Regards,

Anurag

Not getting internet once I apply a route table with destination 0.0.0.0/0 with next hop virtual network gateway

2 answers

Activity