Azure Route Server in one common Vnet connecting VPN and ExpressRoute gateways in seperate Vnets

Question

Azure Route Server in one common Vnet connecting VPN and ExpressRoute gateways in seperate Vnets

Aniket Jagadale 31

Can we deploy Azure Route Server in a common Vnet and the gateways in other separate Vnets as shown in the attached snapshot. If this solution is not right what can be the possible solutions.

Aniket Jagadale 31 Reputation points

2022-02-01T08:16:49.847+00:00

Hi Team,

Please anyone respond on my query.

Thanks,
Aniket.
Marko Alic 0 Reputation points

2023-05-19T18:10:00.6633333+00:00

Azure update.

2 answers

Your answer

Aniket Jagadale 31 Reputation points

2022-02-01T08:16:49.847+00:00

Hi Team,

Please anyone respond on my query.

Thanks,
Aniket.
Marko Alic 0 Reputation points

2023-05-19T18:10:00.6633333+00:00

Azure update.

Answer 1

Is it ok to post a question related to this post? I'm using this post because it perfectly describes the issue. The problem I'm having is that when I peer the Vnet with ARS in it to a Vnet that has ER gateways and/or VPN gateways, the "Use Remote Gateway..." option is greyed out. Because of this, the ARS is not learning routes from the ER and VPN gateways. But your answer above implies that you can set the "Use Remote Gateway" option from the Vnet with ARS deployed. FYI, the Vnet with the gateways in it already has the setting "Use this virtual network's gateway or Route Server" enabled. Thanks!

Answer 2

SaiKishor-MSFT 17,341 Moderator

@Aniket Jagadale Thank you for reaching out to Microsoft Q&A.

From the above NW diagram, I see this may have some glitches. While Azure Route Server (ARS) supports Peering as given here in the FAQ section:

Yes, if you peer a virtual network hosting the Azure Route Server to another virtual network and you enable Use Remote Gateway on the second virtual network, Azure Route Server will learn the address spaces of that virtual network and send them to all the peered NVAs. It will also program the routes from the NVAs into the routing table of the VMs in the peered virtual network.

It still needs NVAs in the Spoke/Hub networks so the ARS can exchange routes. This is because- Azure Route Server only exchanges BGP routes with your NVA. The data traffic goes directly from the NVA to the destination VM and directly from the VM to the NVA.

I think based upon your requirement; you can follow a similar setup as shown in this document but with one ER and one VPN GWs-

Hope this helps. Please let us know if you have any further questions and we will be glad to assist you further. Thank you!

Remember:

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Want a reminder to come back and check responses? Here is how to subscribe to a notification.

Aniket Jagadale 31 Reputation points

2022-02-02T10:04:07.56+00:00

Thanks @SaiKishor-MSFT for the response. But is there any reference as in how to configure these NVA's with respect to ExpressRoute GW and S2S VPN GW.
SaiKishor-MSFT 17,341 Reputation points Moderator

2022-02-02T21:54:39.133+00:00

@Aniket Jagadale Here you go -https://learn.microsoft.com/en-us/azure/route-server/quickstart-configure-route-server-portal

This document has steps to setup ARS with NVA. Hope this helps.

Please let us know if you have any further questions and we will be glad to assist you further. Thank you!

Remember:

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Want a reminder to come back and check responses? Here is how to subscribe to a notification.
Aniket Jagadale 31 Reputation points

2022-02-03T13:33:58.13+00:00

@SaiKishor-MSFT I had gone through the link earlier which you mentioned above but could not find anything related to NVA configuration but I found something related to it in this link https://learn.microsoft.com/en-us/azure/route-server/tutorial-configure-route-server-with-quagga. So can we configure any firewall or any other VM apart from quagga.
SaiKishor-MSFT 17,341 Reputation points Moderator

2022-02-03T19:38:37.453+00:00

@Aniket Jagadale Glad you found the right doc. Yes, you can use any 3rd party NVA. As seen from document,

"Azure Route Server supports not only third-party network virtual appliances (NVA) running on Azure but also integrates seamlessly with ExpressRoute and Azure VPN gateways."

Please let us know if you have any further questions and we will be glad to assist you further. Thank you!

Remember:

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Want a reminder to come back and check responses? Here is how to subscribe to a notification.
Aniket Jagadale 31 Reputation points

2022-02-08T16:27:20.097+00:00

Can we use Azure firewall as an NVA if you want to route the traffic coming from Vnets.
SaiKishor-MSFT 17,341 Reputation points Moderator

2022-02-08T19:17:15.847+00:00

Azure Firewall with ARS is not currently supported. Please refer to this Github thread. Please let us know if you have further questions.

Thanks!
Aniket Jagadale 31 Reputation points

2022-02-10T08:24:02.367+00:00

Ok so if I place a Azure firewall after ARS will ARS be able to learn route information from the VNets behind the firewall and exchange it with the other networks. I'll be configuring the firewall rules in normal way so that the traffic passes between the outside networks and VNets bidirectionally. Also note I am not configuring any NVA peering with firewall since it is not supported or any other NVA device in the ARS. Please suggest what can we do here since for us Firewall is a mandatory component.

Please note that the above query is for the setup wherein we are clubbing both S2S VPN Gateway and ExpressRoute Gateway in Gateway subnet.
SaiKishor-MSFT 17,341 Reputation points Moderator

2022-02-10T18:17:35.5+00:00

@Aniket Jagadale Please share a Network Diagram with details if possible so I can discuss about this Network setup with my Internal Team. Thanks!
Aniket Jagadale 31 Reputation points

2022-02-14T08:24:44.607+00:00

Please refer the attached diagram for your reference and which are trying to setup. Also note we have clubbed both the Gateway types i.e. ExpressRoute and S2S VPN Gateways in single Gateway subnet and ARS is not yet deployed. Rest all the components are installed i.e. Firewalls, Vnets, Subnets etc.
SaiKishor-MSFT 17,341 Reputation points Moderator

2022-02-14T17:21:54.353+00:00

@Aniket Jagadale Thank you for sharing this NW Diagram. From your NW diagram and your description, you are saying that you are not deploying a NVA, is that right? As mentioned earlier, you need to have an NVA in place for ARS to be able to exchange BGP routes.
Aniket Jagadale 31 Reputation points

2022-02-15T14:11:41.803+00:00

@SaiKishor-MSFT - We are not going to deploying any NVA as per the above diagram. We will be just using the ARS and Firewall is already installed. So my query was do we need to deploy any NVA between ARS and Firewall for traffic distribution between ARS and Vnets or vice-versa.

Also if NVA is not required will Firewall function in it is normal way and the ARS also get the traffic from all the networks.
SaiKishor-MSFT 17,341 Reputation points Moderator

2022-02-15T22:04:51.447+00:00

@Aniket Jagadale As mentioned, without an NVA, ARS cannot exchange the routes. Therefore, it is must to implement an NVA along with ARS.
Aniket Jagadale 31 Reputation points

2022-02-16T09:13:16.667+00:00

@SaiKishor-MSFT I was going through implementation scenarios for ARS and found this video. In this video they have not configured NVA for a similar kind of setup. Although they have not mentioned anything like Azure firewall in the Azure setup. You can watch the video up to 28:50 https://www.youtube.com/watch?v=uWZNj7fP6CY. Please suggest if this is possible.

Share via

Azure Route Server in one common Vnet connecting VPN and ExpressRoute gateways in seperate Vnets

2 answers

Your answer