Hey everyone! I'm in the process of setting up an ExpressRoute topology for my organization, and I'm running into some issues with advertising routes. Here's the current setup: we've got an on-prem data center connecting to a service provider, leading to an ExpressRoute circuit (Standard) that goes to a virtual network gateway (hub VNet) and then to peered spoke VNets. We've also set up user-defined routes (UDRs) to send traffic coming into Azure towards a Network Virtual Appliance (NVA) that's in a separate VNet, which is peered to the hub. This NVA VNet connects to another hub VNet and uses the remote gateway from that hub.
The problem is that Azure only allows one gateway per VNet, so I can't advertise the NVA routes through BGP for the new hub. While traffic flows fine through the NVA and the original hub (thanks to remote gateway), I'm unable to send traffic to the NVA from the new hub because I can't inject the NVA subnet through BGP. Static route injection isn't supported either. I've seen some architectures where NVA routes are redistributed via a firewall or router. I'm curious about a few things:
1. Can I use a similar method in my setup?
2. Is it practical to redistribute NVA routes into ExpressRoute BGP using a firewall?
3. If that's not an option, what's the best way to advertise the NVA subnet to multiple hubs? I would greatly appreciate any insights or examples you can share. Thanks a lot!
1 Answer
You can definitely advertise your NVA routes into Azure's routing framework using Azure route servers. I’m not fully picturing your whole topology, but it looks like it should work for you. If you can provide some more details, I can help pinpoint where the route server(s) would be configured and how the peering should work.
I'm looking into Azure route servers, as it seems like the only option for advertising routes. What additional information would you need from me to give you a clearer picture?