Share via

Azure Route Server - ExpressRoute - NVA

Nathan Farrar 67 Reputation points
2022-07-28T13:31:28.067+00:00

Looking to develop a dynamic routing architecture. I'd like to remove the need to use UDRs if possible.

The goal is to have an on-premises data center connect to an Azure spoke VNet via an ExpressRoute and through an NVA in a hub VNet. I've used Azure Route Server to peer with the NVA so it can learn all VNets and provide a default route without using UDRs. The issue I'm expecting is asynchronous routing.

I know that we can use a UDR on the GatewaySubnet to direct incoming traffic to the NVA first, then the traffic would be forwarded to the spoke subnet.

But return traffic is the issue, since I want the NVAs to learn new VNets and ExpressRoute prefixes:

Here is where I think the issue will be:

  • The spoke VNets will learn ExpressRoute prefixes via the VNet peering (Route Server can't control this)
  • A 0.0.0.0/0 will also be learned from the NVAs (Via the Route Server)
  • The ExpressRoute prefixes will always take precedence
  • Return traffic will bypass the NVA and go directly to the GatewaySubnet and out the ExpressRoute

Without additional control, I don't see that it is possible to control the return routes without placing static UDR routes at each of the spokes to override the ExpressRoute learned routes. Using the UDRs make the Route Server less useful. It'll help the NVAs learn the VNets and ExpressRoute prefixes but we can't prevent ExpressRoute prefixes from being advertised directly to the spoke VNets via the VNet peering, so we have to use UDRs and always make sure we have any new routes for the on-premises data center added manually.

Thoughts?

Azure ExpressRoute
Azure ExpressRoute
An Azure service that provides private connections between Azure datacenters and infrastructure, either on premises or in a colocation environment.
445 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator
    2022-07-29T11:07:25.557+00:00

    Hello @Anonymous ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you have a hub-spoke model on Azure and it is connected to your on-premises via ExpressRoute. You have a NVA in your hub Vnet for routing the on-prem traffic via the NVA and used Azure Route Server to peer with the NVA so it can learn all VNets and provide a default route without using UDRs but you are facing asymmetric routing issue.

    Could you please confirm that the Vnet peering between hub and spoke Vnets has the "Use Remote Gateway" option enabled on the spoke Vnet peering?
    Refer : https://learn.microsoft.com/en-us/azure/route-server/route-server-faq#does-azure-route-server-support-virtual-network-peering

    I also checked internally and found that there was a known issue where - when NVA advertises default route to Route server, this route is propagated to hub vnet but not spoke vnets. But looks like a fix was already rolled out by the Product Group team.

    If your Vnet peering is configured correctly with the "Use Remote Gateway" option enabled and you are still facing this issue, it may require a deeper investigation, so if you have a support plan, I request you file a support ticket, else please do let us know, we will try and help you get a one-time free technical support.

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.