How to use a 2nd Express route and redirect some traffic?

Lutz Rahe 61

Just a question

2 VPCs in Azure with a peering (in both directions)
VPC 1 has also an express route for the connection to on-premise

VPC 2 (new) shall also have an express route....but for different traffic only (video traffic). In VPC 2 are video servers

My question is: how I can be sure, that all video traffic will use Express Route 2. All NON video traffic (e.g. RDP, DNS, Domain traffic, etc.) must use ER 1. Which device can I use to redirect (split) the traffic between the 2 ERs? Is it clever to use the Azure FW in VPC1 to redirect back the video traffic to another gateway?

GitaraniSharma-MSFT 49,171 Reputation points Microsoft Employee

2021-04-16T11:08:25.797+00:00

Hello @Lutz Rahe ,

May I know if ExpressRoute 1 and ExpressRoute 2 will be connecting to the same On-premise location? Also, when you say both Vnets will have their own ExpressRoute circuit, it means they both will have an ExpressRoute VPN gateway of their own and the Vnet peering between both Vnets will only be for Vnet to Vnet connectivity (without any gateway transit features), is that correct?

Thanks,
Gita
Lutz Rahe 61 Reputation points

2021-04-16T13:45:33.277+00:00

Hi Gita

The 2 destinations are different.
One is a on-premise dc with the domain controlers (and users)
the other is the source for the video server in VNet 2. After this video has finished processing in this servers, they are sent back to this destantion over express route 2

VNet peering is for the VMs in VNet 2 for sending Domain traffic via ER1 to the datacenter. But it is a direct peering...nit via a 3rd VNet as a gateway VNet
GitaraniSharma-MSFT 49,171 Reputation points Microsoft Employee

2021-04-20T11:18:55.447+00:00
Hello @Lutz Rahe ,

Apologies for the delay in my response.

I am still a bit confused about your setup. However, below are the points that I would like to point out:

All virtual networks linked to the same ExpressRoute circuit are part of the same routing domain and are not isolated from each other.

When you peer virtual networks that share a single Azure ExpressRoute connection, the traffic between them goes through the peering relationship. That traffic uses the Azure backbone network.

Gateway Transit is a peering property that enables a virtual network to utilize a VPN/ExpressRoute gateway in a peered virtual network. Gateway transit works for both cross premises and network-to-network connectivity.

So, unless your Vnets are sharing the same ExR connection or using gateway transit option in Vnet peering, they should redirect traffic according to the ExR connections they are connected to.

Do let me know if you have any follow-up questions.

Thanks,
Gita
Lutz Rahe 61 Reputation points

2021-04-21T06:09:13.437+00:00

Hi Gita

Thank you for your answer...

So: when I have a VNet peering I have only ONE routing domain? So ALL traffic outside the VPNs will use the Express Route 1 connection?

How I can force specified traffic to use ER2? Use a 2nd Firewall and set the default gateway to ER2 (in VNet 2) and redirect all traffic except Video to ER1?
I cannot use ER1 for the video traffic.......
And the Central VNet (Vnet 1) is required.......

Honestly I havent found any documents how to use a 2nd Express Route (when it is NOT used as an HA)

Best,
Lutz
GitaraniSharma-MSFT 49,171 Reputation points Microsoft Employee

2021-04-21T13:57:54.677+00:00

Hello @Lutz Rahe ,

Like I mentioned before, if the destinations for the 2 ExR circuits are different, you don't need to use any Firewall for traffic separation. ExpressRoute uses BGP for routing, so it would be something as below:

Vnet 1 <---> ExR1 <---> On-prem1
||
Vnet 2 <---> ExR2 <---> On-prem2

Vnet 1 will have BGP routes for On-prem1 only. But since it is peered to Vnet 2, it will also have routes for Vnet 2 to connect over Azure backbone but Vnet1 can never route traffic to On-prem2 and vice versa.

Please refer the Cross connecting VNets section on the below article for clarity:
https://video2.skills-academy.com/en-us/azure/expressroute/cross-network-connectivity#cross-connecting-vnets

If the above article doesn't match your setup, then I would request you to share a network diagram of your setup along with the destination address prefixes for further discussion.

Thanks,
Gita
GitaraniSharma-MSFT 49,171 Reputation points Microsoft Employee

2021-04-23T17:39:29.76+00:00

Hello @Lutz Rahe ,

I'm following up on my previous comment. Please let us know if you have any follow-up questions.

Thanks,
Gita
GitaraniSharma-MSFT 49,171 Reputation points Microsoft Employee

2021-04-29T13:57:12.877+00:00

Hello @Lutz Rahe , any further updates on this post?
Lutz Rahe 61 Reputation points

2021-04-30T02:39:16.053+00:00

Hi Gita

Thank you for your answer.

The customer requirements have changed :-)
So we have to redesign the whole environment.
I have given my (your) concerns....

If I will have further questions, I'll let you know. But at the monet, this question can be closed.
Thank you

Best,
Lutz
GitaraniSharma-MSFT 49,171 Reputation points Microsoft Employee

2021-04-30T09:52:24.75+00:00

Thank you for the update @Lutz Rahe . As advised, we will be closing this issue for now.

Regards,
Gita

1 answer

GitaraniSharma-MSFT 49,171 Reputation points Microsoft Employee

2021-05-07T11:13:17.533+00:00
Hello @Lutz Rahe ,

Below is a summary of our discussion on this topic for you and other community members to refer to:

Some important points when using multiple ExpressRoute circuits are as following:

All virtual networks linked to the same ExpressRoute circuit are part of the same routing domain and are not isolated from each other.

When you peer virtual networks that share a single Azure ExpressRoute connection, the traffic between them goes through the peering relationship. That traffic uses the Azure backbone network.

Gateway Transit is a peering property that enables a virtual network to utilize a VPN/ExpressRoute gateway in a peered virtual network. Gateway transit works for both cross premises and network-to-network connectivity.

So, unless your Vnets are sharing the same ExR connection or using gateway transit option in Vnet peering, they should redirect traffic according to the ExR connections they are connected to.

And if the destinations for the 2 ExR circuits are different, you don't need to use any Firewall for traffic separation. ExpressRoute uses BGP for routing, so it would be something as below:

Vnet 1 <---> ExR1 <---> On-prem1
||
Vnet 2 <---> ExR2 <---> On-prem2

Vnet 1 will have BGP routes for On-prem1 only. But since it is peered to Vnet 2, it will also have routes for Vnet 2 to connect over Azure backbone but Vnet1 can never route traffic to On-prem2 and vice versa.

Please refer the Cross connecting VNets section on the below article for clarity:
https://video2.skills-academy.com/en-us/azure/expressroute/cross-network-connectivity#cross-connecting-vnets

Kindly let us know if and when you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Share via

How to use a 2nd Express route and redirect some traffic?

1 answer