Azure VWAAZURE VWAN VPN ( have all of the VPNs route all traffic to virtual network connection (NVA) with exception of one which should be able to route directly to expressroute

Question

AZURE VWAN VPN ( have all of the VPNs route all traffic to virtual network connection (NVA) with exception of one which should be able to route directly to expressroute).....How can this be accomplished? I do not wan't to use Azure Firewall or deploy a firewall in the hub (secure hub)

IE.

VPN1 -> Express Route (Direct) - This is used for Clients to connect via 3rd party SAAS VPN solution. This is already inspected in the cloud and doesn't need to be inspected again by Azure NVA.

VPN2 -> Express Route (VIA NVA using virtual network connection)

VPN3 -> Express Route (VIA NVA using virtual network connection)

VPN4 -> Express Route (VIA NVA using virtual network connection)

Answer 1

Hi @junior , I understand that you are using Virtual WAN, with VPN Gateway and Express Route Gateway in VHub, and you want to have routing for VPN2-4 via NVA (not in VHub).

Your scenario for VPN1 will work, as it's the default behaviour of VHub: route the advertised route directly, as VPN Gateway and VHub is BGP-peered.

Your scenario for VPN2-4 will not work. You can set a static route in VHub, for VPN2-4, go to NVA. But then, from NVA, it needs to go to Express Route Gateway, that is in VHub. Traffic goes back to VHub, and VHub has a static route: for VPN2-4, go to NVA. Routing loop.

It will work in Secure Hub scenario, as the Firewall is in VHub, so it knows the route directly to Express Route Gateway.