Prevent Azure Expressroute from learning routes from VPN Gateway

ktipssioyv 1

How can I prevent Azure Expressroute from learning routes from VPN gateway? We're setting up a IPsec over Azure Expressroute. We want the Azure Expressroute just be a circuit. Right now Azure Expressroute is advertising the routes that's learned from VPN Gateway to the Edge routers.

Is there a way to prevent Azure Expressroute from learning routes from VPN gateway?

ktipssioyv 1 Reputation point

2021-11-25T11:53:30.79+00:00

@GitaraniSharma-MSFT

Do you have a answer for this?

1 answer

GitaraniSharma-MSFT 49,261 Reputation points Microsoft Employee

2021-11-25T14:05:51.133+00:00

Hello @ktipssioyv ,

AFAIK and as mentioned in this doc, the ExpressRoute gateway will advertise the Address Space(s) of the Azure VNet, you can't include/exclude at the subnet level. Also, if VNet Peering is used and the peered VNet has "Use Remote Gateway" enabled, the Address Space of the peered VNet will also be advertised. So as long as the Vnet is linked to the ExpressRoute circuit, there is no way to stop Azure ExpressRoute from learning the Vnet routes from VPN Gateway.

However, if you want your on-prem routes to NOT be advertised to the subnets, you can do so by disabling a property called "Virtual network gateway route propagation" on the route tables of those subnets.
Refer: https://video2.skills-academy.com/en-us/azure/virtual-network/virtual-networks-udr-overview#border-gateway-protocol
https://video2.skills-academy.com/en-us/azure/virtual-network/manage-route-table#create-a-route-table

If you want the Azure ExpressRoute to just be a circuit, then I would recommend you to unlink the Vnet from your ExpressRoute by removing the connection.

Kindly let us know if the above helps or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.
ktipssioyv 1 Reputation point

2021-11-25T14:30:14.877+00:00

VNET's aren't peered to the ExpressRoute. Its peered to the Virutal Hub. vHub has a express route gateway that connects to the ER circuit.

ktipssioyv 1 Reputation point

2021-11-25T14:31:29.257+00:00

@GitaraniSharma-MSFT Does route filter help in anyway from preventing ER circuits from learning routes of other Vnets or regions?

GitaraniSharma-MSFT 49,261 Reputation points Microsoft Employee

2021-11-25T16:06:43.813+00:00

@ktipssioyv , I would like to make sure that I understand your setup & requirement clearly to assist you further. So let me summarize : You have an ExpressRoute circuit connected to Virtual hub in your Azure Virtual WAN and would like to prevent it from learning routes from VPN Gateway. When you say prevent the ER circuit from learning routes from VPN gateway, are you referring to the ExpressRoute gateway or site-to-site VPN gateway?

ktipssioyv 1 Reputation point

2021-11-26T07:08:13.363+00:00

@GitaraniSharma-MSFT We have a expressroute circuit connected to virtual hub. When we check our expressroute cirtcuit routing table it shows that its learning routes from VPN gateway (AS Path in ER routing table has VPN gateway ANS number with VNET's routes). We want to prevent that. We want Expressroute to know routes only of On-Perm edge routers which are connected to circuit and not learn any routes from Azure.

Your question "When you say prevent the ER circuit from learning routes from VPN gateway, are you referring to the ExpressRoute gateway or site-to-site VPN gateway?" I'm referring to ExpressRoute gateway.

ktipssioyv 1 Reputation point

2021-11-26T08:50:59.947+00:00

@GitaraniSharma-MSFT The VNET's route (address space) should be not be know to the Expressroute. Can this be achieved? Our VNET's are peered to vHUB. It seems like any routes learned by VPN Gateway is advertised to Expressoute circuit.

Expressroute route table shows that the ASN number of VPN Gatewayz (65515) for the all VNET's route that it has learned.

GitaraniSharma-MSFT 49,261 Reputation points Microsoft Employee

2021-11-26T13:46:14.82+00:00

@ktipssioyv , I'm discussing this scenario with the Azure ExpressRoute product group team for more information. Will get back to you with an update once I hear from them.

GitaraniSharma-MSFT 49,261 Reputation points Microsoft Employee

2021-12-09T03:03:43.567+00:00

Hello @ktipssioyv ,

Apologies for the delay in my response.

I had to reach out to both ExpressRoute and Azure Virtual WAN product group team to discuss this requirement.
Below is their final response on this :

Currently, there is no way to only prevent Azure ExpressRoute from learning Vnet routes from VPN gateway. If you add a custom route table in vWAN, all branches (VPN/ER/User VPN) will be impacted by it.
We don’t support custom routing for vWAN branches today. That means all branch connections have the same routing configurations.
Refer : https://video2.skills-academy.com/en-us/azure/virtual-wan/about-virtual-hub-routing#association

If you want to filter which routes should be advertised to ExpressRoute, we are working on a new feature which will give you control over what prefixes each connection learns, however we do not have an ETA for it's release yet.

Regards,
Gita

GitaraniSharma-MSFT 49,261 Reputation points Microsoft Employee

2021-12-14T08:22:51.013+00:00

@ktipssioyv , kindly let us know if the above helps or you need further assistance on this issue.

GitaraniSharma-MSFT 49,261 Reputation points Microsoft Employee

2021-12-16T12:42:54.2+00:00

@ktipssioyv , could you please let us know if the above helps or you need further assistance on this issue?
Sign in to comment

Share via

Prevent Azure Expressroute from learning routes from VPN Gateway

1 answer