Not getting internet once I apply a route table with destination 0.0.0.0/0 with next hop virtual network gateway

Anurag M 0

Hi Team,

I have a azure connectivity with express route from onpremises

and having two Vnets in Azure

Vnet1 which has VPN gateway deployed
Vnet2 peered with Vnet1 and having all my VM's
created a subnet2 on Vnet2

I would like to route all my internet access of Vnet2 (from subnet2 in vnet2) towards my on premises firewall.

I have applied a route table on subnet 2 with below configuration

Address prefix : 0.0.0.0/0

Next hop type : VirtualNetworkGateway

problem here is outbound internet is not working once I apply a route table on subnet and effective routes shows this way from VM nic interface:

Note: All private network is routed and able to see in the onprem firewall but the public routes are not reaching to onpremises firewall

Capture

Can you please help me how to route entire internet to onpremises firewall

Regards,

Anurag,

2 answers

ChaitanyaNaykodi-MSFT 24,231 Reputation points Microsoft Employee

2023-08-29T23:47:34.7133333+00:00

@Anurag M

Welcome to the Microsoft Q&A Forum.

As documented here you must use BGP to advertise on-premises routes to the Microsoft Edge router. You can't specify a virtual network gateway created as type ExpressRoute in a user-defined route because with ExpressRoute, you must use BGP for custom routes.

This User Defined Route from your screenshot above is not supported.

You must use BGP to advertise on-premises routes to the Microsoft Edge router. You can't create user-defined routes to force traffic to the ExpressRoute virtual network gateway if you deploy a virtual network gateway deployed as type: ExpressRoute. In this case you will have to advertise a route with the 0.0.0.0/0 prefix via BGP.

As documented here default routes are permitted only on Azure private peering sessions. In such a case, ExpressRoute routes all traffic from the associated virtual networks to your network.

Just an FYI Advertising default routes will break Windows and other VM license activation. For information about a work around, see use user defined routes to enable KMS activation.

Hope this helps! Please let me know if you have any additional questions. Thank you!

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.
Anurag M 0 Reputation points

2023-08-30T05:53:51.4466667+00:00

Hi ChaitanyaNaykodi-MSFT,

Thank you so much for detailed information, If we can not route the default 0.0.0.0/0 to virtual network gateway which is blocking the internet

as suggested in BGP , can you guide me where exactly I can configure to route all my internet traffic towards onprem fortigate firewall

the route I am looking for is

outbound internet>express route gateway>onprem fortigate firewall which is providing internet

I need some guidance on BGP to advertise on-premises routes to the Microsoft Edge router. and also not getting option to check the routes on VPN gateway , is there any other method to check the routing details on Virtual network gateway .

for a note I am able to check routes on network interface of VM but not able to check on Virtual network gateway to check the public request is reaching to gateway or not

If I am looking for the case which is not possible please suggest with right approach

all my requirement is when I access internet from the vm from spoke subnet it should route to onprem firewall beyond equinix instead of default system routed Internet

Regards,

Anurag

ChaitanyaNaykodi-MSFT 24,231 Reputation points Microsoft Employee

2023-08-31T02:34:19.99+00:00

@Anurag M

Thank you for getting back.

Based on your questions above.

I need some guidance on BGP to advertise on-premises routes to the Microsoft Edge router. and also not getting option to check the routes on VPN gateway , is there any other method to check the routing details on Virtual network gateway .

You can run this PowerShell Command Get-AzVirtualNetworkGatewayLearnedRoute to get the routes learned by an Azure virtual network gateway. You can use Azure Cloud Shell to run this command from Azure Portal.

as suggested in BGP , can you guide me where exactly I can configure to route all my internet traffic towards onprem fortigate firewall

You should advertise this default route (0.0.0.0/0) from your on-prem BGP peered device which will direct the traffic to the on-prem FortiGate firewall. Currently we have this document which has few examples on how to set up prefixes to be advertised over the BGP session for the on-prem device. As this is an on-prem setting you can reach out to your provider or the on-prem device vendor for additional details and exact commands.

Hope this helps! Please let me know if you have any additional questions and we will continue with our discussion. Thank you!

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Anurag M 0 Reputation points

2023-08-31T21:12:57.7266667+00:00

@ChaitanyaNaykodi-MSFT

Hi Thank you somuch for the details,

Changes I have done is:

removed the route table 0.0.0.0/0 with next hopto Vitual network Gateway

now the internet is routed to system defined Internet and it is not passwing through express routes

but I have observed that the express route circuit learned the routes of 0.0.0.0/8 to equinix private peeing BGP IP address

and when I check the on premises fortigate firewall the route is showing as 0.0.0.0/0

can you please help why the 0.0.0.0/0 route is not showing in azure express route circuit and it is showing in onprem fortigate routes

Regards,

Abhilash

ChaitanyaNaykodi-MSFT 24,231 Reputation points Microsoft Employee

2023-08-31T23:55:21.1166667+00:00

@Anurag M

Thank you for getting back.
Based on the statement above

but I have observed that the express route circuit learned the routes of 0.0.0.0/8 to equinix private peeing BGP IP address

Actually, not exactly sure why a default route 0.0.0.0/0 will be advertised as 0.0.0.0/8. To troubleshoot the exact issue I think we will need specialized 1:1 session, where a support engineer can have a screen share session to pin point the issue. If you have a support plan you may file a support ticket, else could you please send an email to azcommunity@microsoft.com with the below details.

Subject : Attn Chaitanya

Thread URL: Link to this thread.

Subscription ID

Please let me know once you have done the same.

Anurag M 0 Reputation points

2023-09-25T15:19:59.04+00:00

Hi Chaitanya,

Thanks a lot for your help, I have removed the UDR (static route) on Subnet which was applied through route table and able to get internet routing towards on-premises firewall but now I am facing another issue

on the effective routes of network interface it is showing two different next hops for each address space:

Example:

Address Prefix Next hope Next hop IP address

0.0.0.0/0 Virtual network gateway 10.X.X.33

0.0.0.0/0 Virtual network gateway 10.X.X.34

It is not only for default prefix for all the routes it shows the two different Next hop IP address

Is this expected behavior ?

Regards,

Anurag

ChaitanyaNaykodi-MSFT 24,231 Reputation points Microsoft Employee

2023-09-28T01:45:08.4733333+00:00

@Anurag M

Thank you for getting back.

I think this is an expected behavior, I am assuming the IP addresses above 10.X.X.33 and 10.X.X.34 are associated with your Virtual Network Gateway subnet and Express route circuit is configured in active-active mode.

In this case, as documented here an ExpressRoute circuit has multiple routing domains/peerings associated with it: Azure public, Azure private, and Microsoft. Each peering is configured identically on a pair of routers (in active-active or load sharing configuration) for high availability. Azure services are categorized as Azure public and Azure private to represent the IP addressing schemes.

Also as documented here Microsoft network is configured to operate the primary and secondary connections of ExpressRoute circuits in active-active mode. However, through your route advertisements, you can force the redundant connections of an ExpressRoute circuit to operate in active-passive mode. Advertising more specific routes and BGP AS path prepending are the common techniques used to make one path prefer over the other.

Hope this helps! Please let me know if you have any additional questions. Thank you!

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Sign in to comment
Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Share via

Not getting internet once I apply a route table with destination 0.0.0.0/0 with next hop virtual network gateway

2 answers