Azure Express Route access Expose Public IP and DNAT using NVA

Shrijan Tiwari 1 Reputation point
2021-07-30T21:20:29.38+00:00

I have Hub Spoke VNet Architecture and and express route attached to my hub VNet. I want to understand following points and see if there's something that can be done to solutionize this ?

  1. Since Express Route is private peering and attached to hub VNet all my VNets are published over express route, Is there's a way i can restrict what needs to be published and what not over express route from azure.
  2. I want to publish Public IP over express route and NAT Inbound connection to private IP. For this i tried setting up some network but i Guess its getting dropped. Can you please suggest what is wrong with this.

In the attached image below:

  • from Onpremise we want to access 20.xx.xx.xx IP
  • IP should go over express route and reach azure
  • Azure HubSpoke should route that traffic to NVA using GatewaySubnet UDR.
  • NVA should DNAT Public IP to Private IP

119552-image.png

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,158 questions
Azure ExpressRoute
Azure ExpressRoute
An Azure service that provides private connections between Azure datacenters and infrastructure, either on premises or in a colocation environment.
323 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. GitaraniSharma-MSFT 47,676 Reputation points Microsoft Employee
    2021-08-09T13:40:18.79+00:00

    Hello @Shrijan Tiwari ,

    Apologies for the delay in response.

    1) The ExpressRoute gateway will advertise the Address Space(s) of the Azure VNet, you can't include/exclude at the subnet level. It is always the VNet Address Space that is advertised. Also, if VNet Peering is used and the peered VNet has "Use Remote Gateway" enabled, the Address Space of the peered VNet will also be advertised. From a routing perspective, all virtual networks linked to the same ExpressRoute circuit are part of the same routing domain and are not isolated from each other. If you need route isolation, you need to create a separate ExpressRoute circuit.
    Reference : https://learn.microsoft.com/en-us/azure/expressroute/expressroute-faqs#how-are-vnets-advertised-on-expressroute-private-peering

    2) An ExpressRoute circuit, once set up, allows you to access services within a virtual network and other Azure services simultaneously. You connect to virtual networks over the private peering path, and to other services over the Microsoft peering path.

    Azure Private peering lets you connect to virtual machines and cloud services directly on their private IP addresses.

    Azure Public IP addresses for IaaS (Virtual Machines, Virtual Network Gateways, Load Balancers, etc.) is supported over Azure Microsoft peering.
    Microsoft supports bi-directional connectivity on the Microsoft peering. You must connect to Microsoft cloud services only over public IP addresses that are owned by you or your connectivity provider and you must adhere to all the defined rules.

    So, in order to access the Public IP (20.xx.xx.xx) from your on-premises over ExpressRoute, you should create a Microsoft peering in your ExpressRoute circuit.

    Reference : https://learn.microsoft.com/en-us/azure/expressroute/expressroute-faqs#supported-services
    https://learn.microsoft.com/en-us/azure/expressroute/expressroute-circuit-peerings
    https://learn.microsoft.com/en-us/azure/expressroute/expressroute-nat
    https://learn.microsoft.com/en-us/azure/expressroute/expressroute-howto-routing-portal-resource-manager

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "Accept the answer" below if the information helped you. This will help us and others in the community as well.

    0 comments