Return traffic though NVA via Expressroute not working

ka_admin 21 Reputation points
2021-11-30T12:53:28.47+00:00

Hi,

We use a Palo Alto NVA behind a ILB. All routing looks fine, but the return traffic doesn't go through the Palo NVA with this setup...

Azure to On-prem works fine like this:
Subscriber Subnets --> ILB -> Palo NVA -> ExpressRoute gateway --> On-Premises

The routing from On-prem to Azure should go as below:
On-premises --> ExpressRoute gateway --> ILB -> Palo NVA --> Subscriber subnets.

Instead it goes like this, causing asymmetric traffic flow:
On-premises --> ExpressRoute gateway --> Subscriber subnets

What could be the problem??

Azure ExpressRoute
Azure ExpressRoute
An Azure service that provides private connections between Azure datacenters and infrastructure, either on premises or in a colocation environment.
342 questions
0 comments
Accepted answer
  1. GitaraniSharma-MSFT 49,261 Reputation points Microsoft Employee
    2021-11-30T14:40:49.01+00:00

    Hello @ka_admin ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    To make sure that the return traffic from your on-premises goes through NVA via Expressroute to Azure, you would need to add a route on your Gateway Subnet.
    NOTE : GatewaySubnet do not support 0.0.0.0/0 UDRs but it supports UDRs with other address prefixes.

    Hence, you can add a UDR to the ExpressRoute GatewaySubnet with the address prefix of your Vnet range with next hop type Virtual Appliance and IP address of your ILB. This will make sure that any traffic that comes from your on-premises for your Azure Vnet range, when reaches your ExpressRoute gateway will be forwarded to the ILB.
    NOTE : Propagate gateway routes should be set to "Enabled" on the GatewaySubnet to ensure availability of the gateway and to propagate your on-premises routes to the network interfaces in the subnet.

    For example : If your Vnet address range is 10.0.0.0/16 then you can add a UDR to your ExpressRoute GatewaySubnet as below:
    Address prefix : 10.0.0.0/16 --> Next hop = Virtual Appliance --> Next hop = IP address of ILB
    So the routing from On-prem to Azure will go as below:
    On-premises --> ExpressRoute gateway --> ILB -> Palo NVA --> Subscriber subnets.

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest