Infrastructure: Azure - ExpressRoute Circuits (BGP) Subnet 10.20.0.0/16 Main Office Sophos Firewall Subnet 10.0.0.0/24 Branch Office Sophos Firewall Subnet 192.168.110.0/23 Azure (AVD) is connected via ExpressRoute to the Main Office. The Main- and Branch office are connected by IPSEC s2s vpn. Problem: The client wants to connect from Azure AVD to a local server at the branch office. We made all networks known on the firewalls but Azure seems to do nothing with the traffic from the 10.20.0.0/16 to the 192.168.110.0 subnet. As I'm not sure if it's a routing issue I'm stuck at this point. Traffic between branch and main office works fine. Traffic between main and Azure also has no problems. Hope somebody can help me!

Hi @ Tom de Smidt | Hermac BV , the IP address range of the Branch office is "known" by Azure infrastructure as well? For me it sounds like a routing issue. Azure needs to know the branch office networks and the main office networks. The main office needs to know the branch office and Azure networks. The branch office needs to know the main office and Azure networks. If I understand correctly the traffic between branch office and Azure will be routed via main office? This means the routing should be configured properly in all related networks. (If the reply was helpful please don't forget to upvote and/or accept as answer , thank you) Regards Andreas Baumgarten

Branchoffice not available via ExpressRoute

Accepted answer

Andreas Baumgarten 107.9K Reputation points MVP

2024-07-31T14:30:32.6233333+00:00

Hi @Tom de Smidt | Hermac BV ,

the IP address range of the Branch office is "known" by Azure infrastructure as well?

For me it sounds like a routing issue.

Azure needs to know the branch office networks and the main office networks.

The main office needs to know the branch office and Azure networks.

The branch office needs to know the main office and Azure networks.

If I understand correctly the traffic between branch office and Azure will be routed via main office?

This means the routing should be configured properly in all related networks.

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards

Andreas Baumgarten
Please sign in to rate this answer.
Tom de Smidt | Hermac BV 20 Reputation points

2024-07-31T14:36:12.12+00:00

Hi @Andreas Baumgarten , Thanks for your reply.
Most likely the branch office network is not known to Azure.

At this point I do not know where to configure the route, as I can't find it under the ExpressRoute, Private Peering or the Virtual network gateway settings.
Perhaps you can point me in the right direction?

I can confirm the local traffic is properly routed between branch- and mainoffice.

Andreas Baumgarten 107.9K Reputation points MVP

2024-07-31T15:37:43.2733333+00:00

Hi @Tom de Smidt | Hermac BV ,

how is the routing from Azure to main office configured?

Are you using Azure Route Tables with user defined routes?

If so please verify if the route tables have an entry for the main office and the branch office networks.

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards

Andreas Baumgarten

Tom de Smidt | Hermac BV 20 Reputation points

2024-08-02T07:00:47.14+00:00

Hi @Andreas Baumgarten

We do not have any routing tables configured.
So I can only find the PrivatePeering settings on the ER and the 'Allow traffic from remote network' settings on the Virtual Network Gateway.

You suggest using routing tables in this case? any tips on that?

Andreas Baumgarten 107.9K Reputation points MVP

2024-08-02T07:15:12.0366667+00:00

Hi @Tom de Smidt | Hermac BV ,

you have to make sure all networks (on-premises and Azure networks) "know" each other and also know where to send the traffic if not connected directly, like Azure networks and branch office networks.

For that reason you need routing information, route tables with user defined routes, and a routing instance, called Network Virtual Appliance (NVA). The NVA is the routing instance sending the network packages in the right direction.

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards

Andreas Baumgarten

Tom de Smidt | Hermac BV 20 Reputation points

2024-08-07T11:18:17.73+00:00

Hi @Andreas Baumgarten we haven't solved the issue yet, but we know which way to look.

Thanks for you help and advise.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Branchoffice not available via ExpressRoute

0 additional answers

Your answer