How to route trafic from VPN S2S towards new ExpressRoute setup

Question

Hello All,

I've a current setup on Azure (hub and spoke architecture) where on my hub i've one Azure Firewall, a virtunal network gateway (VPN) to reach my on-premise and peerings between spokes vnets and hub vnet. I've also UDR defined on subnets (propage gateway route is ON) to enforce the trafic to go to the firewall and then go out via the VPN.

I've a route table also on gatewaysubnet to route incoming trafic from on-prem towards azure firewall.

Currently the setup is working fine, as from all spokes vnet i can reach on-premise

We've decide to implement expressroute, the circuit is now provisionned and i've configure private peering, but i'm stuck now how can i route the trafic to go to express route instead of VPN as we want to keep VPN as backup of expresroute and as far i a know (based on MS docs) vpn virtual network gateway should be deleted and recreated.

What's the best approach to do that and reduce the downtime ?

Thanks a lot

Kind gards,

Answer 1

@RL ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I see you are trying to set up ExpressRoute and Site-to-Site coexisting scenario

This document can come in handy : ExpressRoute and Site-to-Site coexisting

Make sure you review the limits and meet the requirements

• You must deploy a ExpressRoute Gateway in the GatewaySubnet
  • This ExR Gateway will then link your VNET to the ExR Circuit
• The existing VPN gateway must be a route-based VPN gateway and should not be of Basic SKU.
• The gateway subnet must be /27 or a shorter prefix, such as /26, /25

Now when it comes to routing,

From Azure to OnPrem :

• You must understand how Azure selects a route first
  • Azure always selects a route based on longest prefix match algorithm
  • E.g., 10.0.0.0/24 is more specific than 10.0.0.0/16 and if VPN advertises 10.0.0.0/24 - Azure will select VPN as nextHop
• This means, to have ExR as your primary hop, you must advertise a more specific route via the ExR and a bigger generic route over the VPN
  • i.e., Advertise 10.0.0.0/24 over ExR and 10.0.0.0/16 over VPN
  • This way, by default ExR is preferred.
  • However, if ExR fails, Azure would route traffic via VPN (as 10.0.0.0/24 is contained within 10.0.0.0/16 )
• NOTE : When both advertise the same route, ExpressRoute circuit is preferred over Site-to-Site VPN

From OnPrem to Azure:

• This is totally controlled by you and your OnPrem Networking team
• Your local network configuration should also prefer the ExpressRoute circuit over the Site-to-Site VPN
• You can prefer the ExpressRoute path by setting higher local preference for the routes received by the ExpressRoute depending upon your OnPrem Router/VPN Device.
• NOTE : Make sure OnPrem prefers ExR, else you will face asymmetrical routing

Now, to address your queries :

1.as far i a know (based on MS docs) vpn virtual network gateway should be deleted and recreated.

• This depends
• As long as you meet the requirements, you do not have to redeploy the VPN Gateway
  • Typically, you incur no downtime when adding a new gateway or gateway connection.
• However, if the requirements are not met - yes you have to recreate the VPN Gateway with a supported SKU in a GatewaySubnet of size /27 or a shorter prefix (such as /26 or /25).

2.What's the best approach to do that and reduce the downtime ?

• The best approach would be the straight forward approach with a scheduled maintenance window (over a weekend or when the traffic across S2S is expected to be very low)
• See : Configure coexisting connections for an already existing VNet
  • You can also consider recreating the S2S in a single maintenance window and observe the environment first
  • Post this, continue to deploy ExR over a separate maintenance window

Please let us know if we can be of any further assistance here.

Thanks,

Kapil

---

Please Accept an answer if correct.

Original posters help the community find answers faster by identifying the correct answer.