UDR challange in ExpressRoute and Virtual Appliance Environment

Rzure99 1 Reputation point
2020-10-09T10:57:46.487+00:00

Hi,

I have some challenges with setting up network routing in Azure...

We had setup where we had VPN to on-premises and Firewall as virtual appliance in Azure. We used User-Defined Routes where we defined that all internet traffic should go thru the firewall, in other words, the default route was to internal interface of the firewall. All traffic between on-premise network and azure was routed directory thru VPN with UDRs. This worked perfectly, until...

We got an ExpressRoute. The same setup but it doesnt work anymore. All connections will work if we drop UDRs from Azure subnets, but then we have a problem that direct connections from subnets to Internet is possible. We want to direct all internet traffic thru virtual appliance. It seems that using routes with next hop Virtual Network Gateway in ExpressRoute setup is not the same as in VPN setup.

Anyone else has had issues with UDRs and Express route or is it just me?

Azure ExpressRoute
Azure ExpressRoute
An Azure service that provides private connections between Azure datacenters and infrastructure, either on premises or in a colocation environment.
313 questions
{count} votes

1 answer

Sort by: Most helpful
  1. GitaraniSharma-MSFT 46,266 Reputation points Microsoft Employee
    2020-10-09T16:16:12.563+00:00

    Hello @Rzure99 ,

    As I mentioned before, you cannot specify a virtual network gateway created as type ExpressRoute in a user-defined route because with ExpressRoute, you must use BGP for custom routes.
    Please refer : https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview

    Hence, in order to achieve your current setup requirement, you will have to make use of both UDR and BGP custom routes in one of 2 following ways:

    1)
    UDR for Internet traffic 0.0.0.0/0 to next hop Firewall in Azure 192.168.1.1.
    Advertise BGP custom route for 10.0.0.0/8.

    2)
    Advertise a route with the 0.0.0.0/0 prefix via BGP over ExpressRoute. (Default routes are permitted only on Azure private peering sessions.)
    Add UDR on all subnets with default route 0.0.0.0/0 to next hop Firewall in Azure 192.168.1.1.

    The 2nd option relies on how Azure selects a route:
    If multiple routes contain the same address prefix, Azure selects the route type, based on the following priority:

    1. User-defined route
    2. BGP route
    3. System route

    NOTE: UDR always takes precedence.

    Please refer : https://learn.microsoft.com/en-us/azure/expressroute/expressroute-routing#advertising-default-routes
    https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview#how-azure-selects-a-route

    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments No comments