Advertise RFC1918 subnets from Azure to Express Route question

Shane DT 60

Hi everyone,

I have ExpressRoute (ER) that uses our existing WAN circuit to Azure. Based on the MS document, it's called Any-to-Any (IPVPN) for the ExpressRoute connectivity model in my case. The ER connection is up; from our WAN router's BGP routing table I can see both the primary and secondary Azure BGP peer subnets.

The 100.95.20.24/30 (primary) and 100.95.20.28/30 (secondary) are from the Azure portal.

WAN-Router1# sh ip route bgp

B 100.95.20.24/30 [20/0] via 100.97.15.2, 3d

B 100.95.20.28/30 [20/0] via 100.97.15.2, 3d

WAN-Router1#

To look for those BGP peer subnets (primary and secondary), they're under Azure portal-> ExpressRoute circuits->CompanyER circuit ->Overview->Azure private (Status Provisioned)

I currently have VPN site-to-site configured between on-premise and Azure; the VPN works fine.

How do I advertise our Azure's RFC1918 subnets into ER from Azure so our on-premise WAN router can see them?

How do I coexist ER with the current VPN connection? I prefer ER over a VPN connection. Our gateway subnet is /27

Thanks

KapilAnanth-MSFT 39,446 Reputation points Microsoft Employee

2023-10-20T05:13:58.2933333+00:00
@Shane DT

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to configure ExpressRoute and site-to-site coexistence

Looking at your verbatim,

Subnet used for the primary link : 100.95.20.24/30

Subnet used for the secondary link : 100.95.20.28/30

The VPN Gateway exists and you have successfully created a S2S Connection between OnPrem and Azure VPN

How do I advertise our Azure's RFC1918 subnets into ER from Azure so our on-premise WAN router can see them?

This should be automatic

Did you connect the virtual network to this circuit? If not, please follow the below

To troubleshoot,

Did you deploy a ExpressRoute VNET Gateway in the VNET?

https://video2.skills-academy.com/en-us/azure/expressroute/expressroute-howto-add-gateway-portal-resource-manager

In case of co-existence, you should deploy two VNET gateways in the GatewaySubnet

One of type "VPN"

And other of type "ExpressRoute"

Please go through the Limits and limitations

ExpressRoute-VPN Gateway coexist configurations are not supported on the Basic SKU

The gateway subnet must be /27 or a shorter prefix, such as /26, /25, or you receive an error message when you add the ExpressRoute virtual network gateway.

Now, Link the virtual network to this circuit

https://video2.skills-academy.com/en-us/azure/expressroute/expressroute-howto-linkvnet-portal-resource-manager#connect-a-virtual-network-to-a-circuit---same-subscription

Once done, the Gateway would advertise the VNET's address range to the Circuit

The circuit, in turn will send the traffic to OnPrem via BGP

Cheers,

Kapil
KapilAnanth-MSFT 39,446 Reputation points Microsoft Employee

2023-10-23T05:41:46.6333333+00:00

@Shane DT

May I know if you got a chance to review my previous comment?

Please let me know if you are facing any challenges or if there are any follow-up questions, I shall be glad to address them.

Thanks,

Kapil
Shane DT 60 Reputation points

2023-10-23T13:26:23.7166667+00:00
Hi @KapilAnanth-MSFT

Yes, I have. Thanks for the suggestion. I've been thinking about it but I don't quite understand.

I currently have 2 VNETs in Azure. One VNET is where I have virtual firewalls and it's called 'Firewalls-VNET'. This Firewalls-VNET has a gateway subnet /27 which I used for Site-to-site VPN.

The second VNET is called 'Servers-VNET' which I have all the VMs in there.

I used VNET peering to link between 'Firewalls-VNET' and 'Servers-VNET', so the servers go thru the firewalls to on-prem traffic and vice versa.

I currently have one VNET gateway and it's for VPN connection.

I have questions:

If it requires creating a new VNET gateway for ExpressRoute(ER), do I need to create a new VNET for it? or carve out a subnet /24 inside 'Firewalls-VNET'? My goal is that we want traffic that coming in or out of Azure VMs to pass thru the current firewalls in Azure.

You mentioned 'In case of co-existence, you should deploy two VNET gateways in the GatewaySubnet' Yes, I want co-existence for ER and VPN S2S connections, does that mean I need to create a new VNET gateway and use the existing gateway subnet /27 which is used for the S2S connection for new VNET gateway of ER? if that is a 'Yes' please disregard my question #1 above. If that

Thanks!
Shane DT 60 Reputation points

2023-10-23T13:27:13.6933333+00:00
KapilAnanth-MSFT 39,446 Reputation points Microsoft Employee

2023-10-23T13:46:33.4233333+00:00
@Shane DT

Thanks for sharing your architecture.

Wrt,

#1.

If it requires creating a new VNET gateway for ExpressRoute(ER), do I need to create a new VNET for it? or carve out a subnet /24 inside 'Firewalls-VNET'?

No, you should use the same GatewaySubnet of 'Firewalls-VNET'

Both the ExpressRoute gateway and the VPN gateway should be deployed in the same GatewaySubnet.

My goal is that we want traffic that coming in or out of Azure VMs to pass thru the current firewalls in Azure.

Aren't you already doing this with VPN gateway connections?

If not, I would say first configure the co-existence and configure firewall routing.

#2.

You mentioned 'In case of co-existence, you should deploy two VNET gateways in the GatewaySubnet' Yes, I want co-existence for ER and VPN S2S connections, does that mean I need to create a new VNET gateway and use the existing gateway subnet /27 which is used for the S2S connection for new VNET gateway of ER? if that is a 'Yes' please disregard my question #1 above.

Yes.

Create a new VNET gateway of type ExpressRoute and It should use the existing GatewaySubnet.

Cheers,

Kapil
Shane DT 60 Reputation points

2023-10-23T15:59:20.51+00:00
@KapilAnanth-MSFT

Aren't you already doing this with VPN gateway connections?

Yes, it's already doing it for the current VPN connection. I want to get it doing that for the ER connection as well.

While creating the VNET gateway for ER, under the drop-down list of Virtual Network, the drop-down list has other VNETs as well as the 'Firewalls-VNET', other VNETs it says 'Can be associated to virtual network gateway', only ' Firewalls-VNET' it says 'Cannot be associated to virtual network gateway' but it allows me to select 'Firewalls-VNET', is that normal?

On the same page of creating a VNET gateway for ER, regarding the public IP address portion, should I select 'Use Existing' or 'Create new'?

Thanks.
KapilAnanth-MSFT 39,446 Reputation points Microsoft Employee

2023-10-23T16:24:11.07+00:00
@Shane DT

I am not sure about the 'Cannot be associated to virtual network gateway' part.

Could be a Portal validation error.

Please make sure you are complying with the Limits and Requirements such as

Only route-based VPN gateway is supported

ExpressRoute-VPN Gateway coexist configurations are not supported on the Basic SKU

The Gatewaysubnet must be /27 or a shorter prefix, such as /26, /25, or you receive an error message when you add the ExpressRoute virtual network

Wrt Public IP,

If you have an existing public IP in that region, you can choose it

Or create a new one

Also, if this is production set up,

I would recommend you to deploy a test environment and make sure you are able to deploy this setup

See if the portal validation error shows up here or not.

Cheers,

Kapil
Shane DT 60 Reputation points

2023-10-24T03:27:08.14+00:00

@KapilAnanth-MSFT

A few hours ago,, I just created VNET Gateway for ER and use the existing GatewaySubnet /27 that I currently use for VPN. For the public IP address, i chose to create a new one.

Then I followed this this URL to link VNET to the circuit. https://video2.skills-academy.com/en-us/azure/expressroute/expressroute-howto-linkvnet-portal-resource-manager#connect-a-virtual-network-to-a-circuit---same-subscription

It's been a few hours, and I still don't see my on-prem router receiving prefixes of Azure from BGP. Did I miss anything?

Thanks.
KapilAnanth-MSFT 39,446 Reputation points Microsoft Employee

2023-10-25T05:13:08.4766667+00:00
@Shane DT

Is the connectivity still not up?

May I know was this ExpressRoute Circuit previously working?

Being linked to a different VNET Gateway?

If yes, is your OnPREM learning the routes from this old VNET Gateway's VNET?

Or is this the first VNET Gateway you are connecting to this circuit?

What you can do to troubleshoot is,

Check if the BGP status is established or not

Refer : Validate BGP and routes on the MSEE

Run the command Get-AzExpressRouteCircuitRouteTable and check the BGP routes

Make sure your VNET's Range and OnPrem range are available in the "Network" and the "NextHop" corresponds to the GatewaySubnet's IP and OnPrem IP Correspondingly.

Now, to check from the VNET Gateway, use

Get-AzVirtualNetworkGatewayLearnedRoute

Please share the results of the above
Shane DT 60 Reputation points

2023-10-25T16:21:17.3966667+00:00
@KapilAnanth-MSFT

Is the connectivity still not up? Yes, the connection under ExpressRoute is shown Status 'Succeed', so i assume it's up. Our on-prem router still shows the connection is up and sees BGP subnets of Azure but still not seeing RFC1918 subnets (VNETs) of Azure.

Or is this the first VNET Gateway you are connecting to this circuit? This is the first VNET gateway that I connect to this circuit. We only have VPN that has been working for us from on-prem to Azure.
KapilAnanth-MSFT 39,446 Reputation points Microsoft Employee

2023-10-25T16:38:04.8233333+00:00
@Shane DT

Please check the following from Azure.

Refer : Validate BGP and routes on the MSEE

Run the command Get-AzExpressRouteCircuitRouteTable and check the BGP routes

Make sure your VNET's Range and OnPrem range are available in the "Network" and the "NextHop" corresponds to the GatewaySubnet's IP and OnPrem IP Correspondingly.

Now, to check from the VNET Gateway, use

Get-AzVirtualNetworkGatewayLearnedRoute

Cheers,

Kapil
KapilAnanth-MSFT 39,446 Reputation points Microsoft Employee

2023-10-31T05:05:41.4133333+00:00

@Shane DT

May I know if you got a chance to review my previous comment?

Please let me know if you are facing any challenges or if there are any follow-up questions, I shall be glad to address them.

Thanks,

Kapil
Shane DT 60 Reputation points

2023-10-31T22:58:41.19+00:00

@KapilAnanth-MSFT

Yes, I can see the routes, and it works now.

Thanks for your help!
KapilAnanth-MSFT 39,446 Reputation points Microsoft Employee

2023-11-01T09:49:34.6166667+00:00

@Shane DT

You are most welcome and I am glad the set up is working.

I have summarized my comments and posted it as a new answer.

I would highly appreciate if you could Accept the answer and close this thread

Original posters help the community find answers faster by identifying the correct answer.

Thanks,

Kapil

Accepted answer

KapilAnanth-MSFT 39,446 Reputation points Microsoft Employee

2023-11-01T09:49:00.5466667+00:00
@Shane DT

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to configure ExpressRoute and site-to-site coexistence

How do I advertise our Azure's RFC1918 subnets into ER from Azure so our on-premise WAN router can see them?

This should be automatic

To troubleshoot,

In case of co-existence, you should deploy two VNET gateways in the GatewaySubnet

One of type "VPN" and other of type "ExpressRoute"

They should use the same GatewaySubnet.

Please go through the Limits and limitations

ExpressRoute-VPN Gateway coexist configurations are not supported on the Basic SKU
- **The gateway subnet must be /27 or a shorter prefix**, such as /26, /25, or you receive an error message when you add the ExpressRoute virtual network gateway.

Now, Link the virtual network to this circuit

https://video2.skills-academy.com/en-us/azure/expressroute/expressroute-howto-linkvnet-portal-resource-manager#connect-a-virtual-network-to-a-circuit---same-subscription

Once done, the Gateway would advertise the VNET's address range to the Circuit

The circuit, in turn will send the traffic to OnPrem via BGP

Once the configuration is done,

Check if the BGP status is established or not

Refer : Validate BGP and routes on the MSEE

Run the command Get-AzExpressRouteCircuitRouteTable and check the BGP routes

Make sure your VNET's Range and OnPrem range are available in the "Network" and the "NextHop" corresponds to the GatewaySubnet's IP and OnPrem IP Correspondingly.

Now, to check from the VNET Gateway, use

Get-AzVirtualNetworkGatewayLearnedRoute

You confirmed now you are able to see the routes and the set up works.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Share via

Advertise RFC1918 subnets from Azure to Express Route question

0 additional answers