Azure ExpressRoute
An Azure service that provides private connections between Azure datacenters and infrastructure, either on premises or in a colocation environment.
323 questions
Azure Hub to Hub Vnet Peering
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 17%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
Bohac, Stanislav
0
Reputation points
Dear Microsoft Q&A,
I have a Hub & Spoke topology which includes 2 Hub & Spokes. When I attach route table to Express Route gateway /subnet, the injected routes are not being propagated to On-Prem network.
Details: The objective is communicate via VNet peering, while having in one "hub" Azure Firewall and in other Express Route gateway.
As seen on attached sketch:
Hub1 knows network of Hub2 due to network peering. Hub2 knows network of Hub1 due to network peering.
In order to enable access of devices "on-prem" to Spoke1 network via ExpressRoute and Hub1 Firewall, I have attached route table to ExpressRouteGateway subnet with configuration:
10.0.1.0/24 (spoke1) Virtual Network Appliance 10.0.2.4 (Hub1 FW instance) with assumption this will be propagated to on-prem.
However, my UDR is not propagated by the ExpressRoute gateway. BGP settings is enabled on ExpressRouteGateway as well as on Route Table.
Would you have any advise on such topology/configuration?
{count} votes
-
Bohac, Stanislav 0 Reputation points
2024-04-25T21:46:00.4166667+00:00 Any additional information can be provided
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
ChaitanyaNaykodi-MSFT 23,031 Reputation points Microsoft Employee2024-04-26T03:51:39.0966667+00:00 Thank you for reaching out.
As mentioned in the Azure routing documentation,
ER route propagation can be disabled on a subnet using a property on a route table. When you disable route propagation, the system doesn't add routes to the route table of all subnets with Virtual network gateway routes. This process applies to both static routes and BGP routes. Connectivity with VPN connections is achieved using custom routes with a next hop type of Virtual network gateway. Route propagation shouldn't be disabled on the GatewaySubnet. The gateway will not function with this setting disabled.
Propagate gateway routes: If you plan to associate the route table to a subnet in a virtual network that's connected to your on-premises network through a VPN gateway, and you don't want to propagate your on-premises routes to the network interfaces in the subnet, set Virtual network gateway route propagation to Disabled.
Can you please confirm if are propagating the gateway routes? Thanks
-
Bohac, Stanislav 0 Reputation points
2024-04-26T04:26:03.8266667+00:00 Hello,
thank you for your answer.
As written in my original post and on the sketch, Gateway propagation is enabled on ER Gateway as well as on the Route Table attached to GatewaySubnet.
My expectation was, with this option enabled, there UDR to be propagated by ER Gateway to On-Prem, but it is not happening.
-
ChaitanyaNaykodi-MSFT 23,031 Reputation points Microsoft Employee
2024-05-03T20:57:28.82+00:00 Thank you for getting back and apologies for the delay in getting back here.A few observations from the network diagram above.
- From the diagram we could not locate the route which will allow the communication from the spoke vnet to the on-prem network via NVA. Can you please confirm if this route was configured?
- In addition to this can you please try getting BGP routes as shown here and see if you are able to see any issue with the route has been advertised?
Thanks!
Sign in to comment