Share via

VPN Gateway advertise more specific routes e.g. subnets via ipsec tunnel to onprem/local gateway

aheilmaier 1 Reputation point
2022-07-12T10:11:13.393+00:00

I am researching on how I can propagate more specific routes via azure vpn gateway to my onprem/local gateway.
As stated in following document:
https://learn.microsoft.com/en-us/answers/questions/749988/bgp-route-filter-on-vpn-gateway-bgp-session-with-o.html

• Advertise more specific prefixes on the VPN BGP session for the VPN-connected network. You can advertise a larger range that encompasses the VPN-connected network over ExpressRoute private peering, then more specific ranges in the VPN BGP session. For example, advertise 10.0.0.0/16 over ExpressRoute, and 10.0.1.0/24 over VPN.

I do only get the complete vnet prefix via BGP and VPN, but I need more specific routes via VPN, because the vnet route also gets advertised via expressroute.

A related Q&A states to use a 3rd party NVA, but in microsoft documentation the advetrisement of more specifics is mentioned, but not how to do it.

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,803 questions
Azure ExpressRoute
Azure ExpressRoute
An Azure service that provides private connections between Azure datacenters and infrastructure, either on premises or in a colocation environment.
446 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator
    2022-07-12T12:39:18.313+00:00

    Hello @aheilmaier ,

    I understand that you would like to know how you can propagate more specific routes via Azure VPN gateway to your onprem/local gateway.

    I believe you are referring to the "Traffic from Azure to on-premises networks" section of the below doc:
    https://learn.microsoft.com/en-us/azure/vpn-gateway/site-to-site-vpn-private-peering#traffic-from-azure-to-on-premises-networks

    That section talks about how you can influence the routing of traffic from Azure to on-prem networks but the changes or requirements mentioned in it are not done on Azure side. They are done on your on-prem side.

    It says "to ensure that the IPSec path is preferred over ExpressRoute, you should advertise more specific network prefixes on the VPN BGP session", which means - you need to advertise more specific prefixes from your on-prem VPN device over the VPN session and advertise less specific prefixes over ExpressRoute BGP session. So, that Azure will receive both these routes via BGP but will select the specific prefix and take the VPN/IPSec path because Azure always selects a route using LPM (Longest Prefix Match) algorithm.
    Refer : https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview#how-azure-selects-a-route

    By design, the Azure VPN gateways advertise the following routes to your on-premises devices and you cannot exclude these:

    • Your virtual network address prefixes.
    • Address prefixes for each local network gateway connected to the Azure VPN gateway.
    • Routes learned from other BGP peering sessions connected to the Azure VPN gateway, except for the default route or routes that overlap with any virtual network prefix.

    Refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#what-address-prefixes-will-azure-vpn-gateways-advertise-to-me

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.