I'm trying to integrate a Network Virtual Appliance (NVA) into my existing Azure environment where I currently have two virtual networks (VNets) peered together. Here's the situation: I've set up a hub VNet with a subnet for a VPN Gateway, and a spoke VNet containing multiple subnets with VMs. The hub VNet allows access to and from the spoke, and I'm planning to route all internet traffic and internal communication between VMs in the spoke VNet through the new NVA, which is part of Cato Networks' SASE solution. I've assigned route tables but am facing issues with inter-subnet routing not utilizing the NVA. I'm looking for advice on configuring user-defined routes (UDRs) correctly for inter-subnet traffic and any necessary changes to VNet peering settings.
4 Answers
For your setup, it sounds like you'll need to implement route tables on your spoke VNet subnets that point to the NVA appliance using a UDR of 0.0.0.0/0. This should enforce that all traffic, including inter-subnet communication, is routed through the NVA as you intended. Just double-check that you have a UDR in your hub that routes back to the spoke address range through the NVA as well.
Also, don't forget that the basic subnet communication can override the UDR, so you really do need to add those subnets into the routing table with the NVA.
If your NVA supports BGP, consider setting up an Azure Route Server and peering it. This way, the routes from the peered VNets will be auto-learned, simplifying your routing significantly. Without that, you'd definitely want to create UDRs for traffic going back to the VNets, directing them through the NVA's subnet. However, I get that the cost for Azure Route Server can be a bit steep for smaller setups like yours.
Yeah, $330 a month can be a bit much! If your requirements don't justify it, definitely stick to manually managing the UDRs until you scale up significantly.
If you’re looking to send traffic between subnets within your VNet through the NVA, you might actually want to create a dedicated VNet that has just one subnet. This can simplify things and ensure that all traffic goes through your NVA smoothly, keeping your options open for future expansions.
Just a tip: sometimes, the simplest route is the least expensive, so don’t get too caught up in complex routing if your current network isn’t vast. Just keep optimizing as you grow!
Exactly! Adding that UDR should help. Just remember that without it, the default routing might still favor the existing routes over the UDR. You might want to include specific subnet routes too to ensure they all point to the NVA.