Hey everyone! I'm facing a common issue in hybrid networking and wanted to get some advice before diving into the setup of Azure Route Server. I'm curious if anyone else has faced similar challenges or if I'm thinking too hard about this.
Here's the context: I have a landing zone setup where GlobalProtect VPN users can connect to LZ2 spoke VNets if I set `useRemoteGateways` to false on the LZ2 spoke peer connections to the hub. However, this prevents on-premises connections from reaching Azure LZ2 over ExpressRoute since the CIDRs of the spoke VNets aren't being shared in the BGP session.
If I switch `useRemoteGateways` to true, on-premises can access LZ2, but then Palo Alto VPN users can't connect, which is a problem because I need both connection types to work seamlessly. This brings me to the larger issue of handling return traffic and route injection conflicts into the ExpressRoute BGP session.
Currently, my setup includes:
- LZ1 in UK South using a Palo Alto firewall for GlobalProtect VPN users,
- LZ2 in UK West with a FortiGate firewall and ExpressRoute for on-prem access,
- Inter-hub VNet peering with forwarded traffic allowed,
- Multiple spoke VNets in LZ2 for different resources.
I've got some ideas on how to proceed, including BGP peering between FortiGate and Azure Route Server and enabling branch-to-branch routing on the Route Server to help advertise the right prefixes back to on-prem.
Now, my questions are:
1. Is Azure Route Server the correct solution or am I overthinking this?
2. Has anyone tackled a situation involving NVA firewalls, ExpressRoute, and VPN users across multiple hubs?
3. Is there a simpler way to override ExpressRoute BGP routes without using Azure Route Server?
4. In practice, does the longest-prefix match really take precedence over BGP routes when using the Route Server?
Thanks a lot for your help!
4 Answers
It sounds like you're trying to untangle a pretty complex setup! To address your questions, yes, you'll likely need to use User Defined Routes (UDRs) to override the ExpressRoute BGP routes. You can set up UDRs on both sides to point traffic to the appropriate firewalls. Without UDRs, BGP will dictate the routes taken, which complicates things if you have firewalls in the mix.
Thanks for the tips, everyone! I appreciate the feedback and will keep you posted on how it goes!
You've definitely got some options here! Using UDRs on your workload subnets and configuring static routes on your NVAs should help manage traffic correctly. It's all about ensuring that your routing logic aligns with what you need for both sides to communicate effectively.
No Virtual WAN in play? That makes things trickier, but totally manageable. I would recommend making your LZ2 hub an effective transit hub, with LZ1 as the primary. Enable gateway routes between your hubs, and then set up the Azure Route Server. Have the Palo Alto firewall inject routes into BGP for LZ2, so all routes become aware of one another. This could solve your return traffic issues!
That makes total sense! I'll look into the routing setup more closely to streamline it.