Route Internet traffic to an NVA via Virtual-HUB

James Vale (jvale) 21 Reputation points
2022-05-10T12:35:49.787+00:00

Hi guys

I am trying to push internet traffic into an NVA attached to a vnet peered with a Virtual-Wan-HUB.
The peer connection works just fine and I already have a static route configured for VPN clients (although this subnet is actually part of the vnet network range)
I have assigned a static route to the peer within the virtual WAN HUB for 0.0.0.0/0 to the ip of the NVA
No other peered networks receive this route.
I cant see the default route in the HUBs routing table.
If a attempt to force this with a static route on the source vnet (also peered to the same hub) it fails, no traffic reaches the NVA

If a create a direct peer between the 2 vnets, effectively bypassing the virtual WAN everything works just fine.

Any suggestions?

Thanks

J

Azure Virtual WAN
Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
182 questions
0 comments No comments
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 46,261 Reputation points Microsoft Employee
    2022-05-11T13:08:14.5+00:00

    Hello @James Vale (jvale) ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand you would like to route Internet traffic to an NVA deployed in a Vnet peered with a Virtual-Wan-HUB.

    As shown in this doc, if you want to route Internet traffic via a NVA deployed in a Vnet connected to the Virtual Hub, you need the following:

    201084-virtualwan-nvarouting.jpg

    • You need to create a custom route table called "RT_NVA" for directing traffic via the NVA, where you will associate the NVA Vnet to make sure it learn routes (static and dynamic via propagation) and then select the peer Vnet to enable propagating routes from the peer Vnet to this route table.
    • Create a custom route table called "RT_VNET" for directing traffic from your peer Vnet to the internet (0.0.0.0/0) via the NVA. VNet-to-VNet traffic will be direct, and not through the NVA. Add a route '0.0.0.0/0' with next hop as the NVA Vnet connection. In the NVA Vnet connection, configure a route for '0.0.0.0/0', and indicate the next hop to be the specific IP of the NVA in that VNet. Associate the peer Vnet to be able to learn the routes. And select the peer Vnet in Propagation to enable propagating routes from the peer Vnet.
    • Edit the default route table, DefaultRouteTable. Add a route '0.0.0.0/0' with next hop as the NVA Vnet connection. In the prior step for the NVA Vnet connection, you would already have configured a route for '0.0.0.0/0', with next hop to be the specific IP of the NVA. Select branches (VPN/ER/P2S) in the association to ensure that on-premises branch connections are associated to the default route table. And select branches (VPN/ER/P2S) in the propagation to ensure that on-premises connections are propagating routes to the default route table.

    NOTE:

    • Portal users must enable 'Propagate to default route' on connections (VPN/ER/P2S/VNet) for the 0.0.0.0/0 route to take effect.
    • PS/CLI/REST users must set flag "enableinternetsecurity" to true for the 0.0.0.0/0 route to take effect.

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


0 additional answers

Sort by: Most helpful