Share via

Azure vWAN routing intent

prasantc 856 Reputation points
2024-05-11T22:35:22.9333333+00:00
  • I attempted to analyze the routing behavior and disruptions when internet routing is activated on a vWAN to Azure's secured hub firewall in a lab setting.
  • The scenario involved a vWAN with a secured hub that lacked internet routing, along with other vnets not linked to the Azure firewall but to a third-party NVA appliance. The goal was to transition everything to a centralized Azure firewall within a vWAN, one step at a time.
  • To simulate this, I deployed an additional firewall in the western US region within the same subscription, encountering some issues with the Azure firewall's internet connectivity.
  • The setup spanned three regions, two separate subscriptions, and two distinct tenants. In one subscription, I set up a vWAN with a secured hub in one region, along with several vnets and subnets for VM-to-VM routing tests, gateways, etc.
  • Tenant B's second subscription mimicked an on-premises setup with a vnet comprising gateway and VM subnets.
  • The CoreVnet in the vWAN region was linked to the vWAN with default route propagation enabled.
  • Subscription A with vWAN had an additional firewall in a different region, directly peered with the core vnet in the vWAN region, with route table propagation activated.
  • However, the Azure firewall in the second region failed to connect to the internet via UDR to the firewall. Despite peering connections and even after setting up a new vnet in the core region with a test VM and UDR to the firewall, the issue persisted.
  • Regarding routing intent, I managed to replicate an on-premises to WAN connection via a VPN gateway and BGP. Before enabling internet routing intent, all connections were stable. Afterward, public access to the on-premises VM was disrupted but later resolved with a firewall NAT rule.
  • Finally, internet browsing issues on the hub subscription's core vnet resources were addressed by deactivating the default route propagation.

I am not sure why the West US subA traffic would not connect to allow all rule using quad 0 route to NVA in that location. If this was working, it would have been nice to see how it behaves atter intent on the vWAN gets changed for the Inernet bound traffic.

User's image

Azure Virtual WAN
Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
190 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. KapilAnanth-MSFT 36,861 Reputation points Microsoft Employee
    2024-05-13T09:22:40.31+00:00

    @prasantc ,

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    Can you please elaborate on what your requirement here is?

    From your verbatim,

    • You have a vWAN with secured Hub in EastUS with internet routing intent enabled.
    • You have a VNET called CoreVNET in EastUS and this is connected as a spoke to the SecuredHub of the vWAN
    • You have VNET in WestUS with standalone firewall and this is connected as a spoke to the SecuredHub of the vWAN
    • You have a OnPREMVNET mimicking the OnPrem environment.

    Please correct me if my understanding is incorrect.

    Now,

    • Do you want traffic from VNET in WestUS to go to the securedHub's firewall?
    • Or do you want traffic from the VNET in EastUS, i.e., CoreVNET to go to the standalone firewall?

    Cheers,

    Kapil