How to use a 2nd Express route and redirect some traffic?

Lutz Rahe 61 Reputation points
2021-04-16T01:31:26.82+00:00

Just a question

88386-express-route-2.jpg

2 VPCs in Azure with a peering (in both directions)
VPC 1 has also an express route for the connection to on-premise

VPC 2 (new) shall also have an express route....but for different traffic only (video traffic). In VPC 2 are video servers

My question is: how I can be sure, that all video traffic will use Express Route 2. All NON video traffic (e.g. RDP, DNS, Domain traffic, etc.) must use ER 1. Which device can I use to redirect (split) the traffic between the 2 ERs? Is it clever to use the Azure FW in VPC1 to redirect back the video traffic to another gateway?

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
1,174 questions
Azure ExpressRoute
Azure ExpressRoute
An Azure service that provides private connections between Azure datacenters and infrastructure, either on premises or in a colocation environment.
179 questions
{count} votes

1 answer

Sort by: Most helpful
  1. GitaraniSharma-MSFT 27,251 Reputation points Microsoft Employee
    2021-05-07T11:13:17.533+00:00

    Hello @Lutz Rahe ,

    Below is a summary of our discussion on this topic for you and other community members to refer to:

    Some important points when using multiple ExpressRoute circuits are as following:

    1. All virtual networks linked to the same ExpressRoute circuit are part of the same routing domain and are not isolated from each other.
    2. When you peer virtual networks that share a single Azure ExpressRoute connection, the traffic between them goes through the peering relationship. That traffic uses the Azure backbone network.
    3. Gateway Transit is a peering property that enables a virtual network to utilize a VPN/ExpressRoute gateway in a peered virtual network. Gateway transit works for both cross premises and network-to-network connectivity.

    So, unless your Vnets are sharing the same ExR connection or using gateway transit option in Vnet peering, they should redirect traffic according to the ExR connections they are connected to.

    And if the destinations for the 2 ExR circuits are different, you don't need to use any Firewall for traffic separation. ExpressRoute uses BGP for routing, so it would be something as below:

    Vnet 1 <---> ExR1 <---> On-prem1
    ||
    Vnet 2 <---> ExR2 <---> On-prem2

    Vnet 1 will have BGP routes for On-prem1 only. But since it is peered to Vnet 2, it will also have routes for Vnet 2 to connect over Azure backbone but Vnet1 can never route traffic to On-prem2 and vice versa.

    Please refer the Cross connecting VNets section on the below article for clarity:
    https://learn.microsoft.com/en-us/azure/expressroute/cross-network-connectivity#cross-connecting-vnets

    Kindly let us know if and when you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    No comments