![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 66%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Azure ExpressRoute
An Azure service that provides private connections between Azure datacenters and infrastructure, either on premises or in a colocation environment.
342 questions
Hello @Romain ,
You have an existing hub with an Express route gateway connected to two different DC from two different express route circuits and you would like to know how to advertise routes learned by one express route circuit to another to connect both the DCs to each other via Express Route and also perform network filtering between the two express route circuits with an Azure Firewall.
As mentioned in the Express Route FAQ,
Can routes from the on-premises network get filtered? The only way to filter or include routes is on the on-premises edge router. User-defined routes can be added in the VNet to affect specific routing but is only static and not part of the BGP advertisement.
Also, if you want to connect your DC networks via the ExpressRoute service, then you've to enable Global Reach.
ExpressRoute Global Reach is a connection between 2 ExpressRoute circuits and your cross data-center traffic traverses through Microsoft's network backbone from one Microsoft edge router to the other Microsoft edge router. This traffic will not traverse through the ExpressRoute gateway or the Vnet, so network filtering through Azure Firewall on the Vnet will not be possible.
https://video2.skills-academy.com/en-us/azure/expressroute/expressroute-global-reach
https://video2.skills-academy.com/en-us/azure/expressroute/expressroute-faqs#globalreach
So, the setup you are looking for is not possible using just ExpressRoute circuits.
The only possible solution to achieve your requirement is via Azure Virtual WAN.
Azure Virtual WAN has an option called Branch-to-branch which would fit your requirement.
Branches can be connected to an Azure virtual WAN hub using ExpressRoute circuits and/or site-to-site VPN connections. You can connect the branches to the virtual WAN hub that is in the region closest to the branch.
Branch-to-branch option lets enterprises leverage the Azure backbone to connect branches.
The traffic follows the below pattern:
branch device ->ISP->Microsoft network edge->Microsoft DC (hub VNet)->Microsoft network edge->ISP->branch device
The routing capabilities in a virtual hub are provided by a router that manages all routing between gateways using Border Gateway Protocol (BGP).
Refer: https://video2.skills-academy.com/en-us/azure/virtual-wan/about-virtual-hub-routing
Routing Intent and Routing Policies allow you to configure the Virtual WAN hub to forward Internet-bound and Private (Point-to-site VPN, Site-to-site VPN, ExpressRoute, Virtual Network and Network Virtual Appliance) Traffic to an Azure Firewall, Next-Generation Firewall Network Virtual Appliance (NGFW-NVA) or security software-as-a-service (SaaS) solution deployed in the virtual hub.
There are two types of Routing Policies: Internet Traffic and Private Traffic Routing Policies.
The one that you need is Private Traffic Routing Policy.
When a Private Traffic Routing Policy is configured on a Virtual WAN hub, all branch and Virtual Network traffic in and out of the Virtual WAN Hub including inter-hub traffic is forwarded to the Next Hop Azure Firewall, Network Virtual Appliance or SaaS solution resource.
In other words, when a Private Traffic Routing Policy is configured on the Virtual WAN Hub, all branch-to-branch, branch-to-virtual network, virtual network-to-branch and inter-hub traffic is sent via Azure Firewall, Network Virtual Appliance or SaaS solution deployed in the Virtual WAN Hub.
Refer: https://video2.skills-academy.com/en-us/azure/virtual-wan/how-to-routing-policies
Transit connectivity between ExpressRoute circuits within Virtual WAN is provided through two different configurations. Because these two configurations are not compatible, customers should choose one configuration option to support transit connectivity between two ExpressRoute circuits.
- ExpressRoute Global Reach: ExpressRoute Global Reach allows two Global Reach-enabled circuits to send traffic between each other directly without transiting the Virtual Hub.
- Routing Intent private routing policy: Configuring private routing policies allows two ExpressRoute circuits to send traffic to each other via a security solution deployed in the hub.
The one which fits your requirement is the second option (Routing Intent private routing policy).
To enable ExpressRoute to ExpressRoute transit connectivity via a Firewall appliance in the hub with private routing policies, open a support case with Microsoft Support.
Note that this option is not compatible with Global Reach and requires Global Reach to be disabled to ensure proper transit routing between all ExpressRoute circuits connected to Virtual WAN.
Refer: https://video2.skills-academy.com/en-us/azure/virtual-wan/how-to-routing-policies#expressroute
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.