Site to site IPSec VPN over Express Route

As far as I can tell, this behavior likely stems from the route selection precedence in Azure's routing infrastructure. Azure follows specific rules when evaluating and selecting routes, and while longest prefix match is one criterion, other factors may override it.

This includes the following:

1. Route Type Precedence Azure uses a hierarchy for route selection, where system-defined routes (like those for ExpressRoute) take precedence over user-defined routes (UDRs) for the same destination, even if the UDR has a longer prefix match.
2. ExpressRoute Prefix Advertisement The BGP route for 172.16.1.0/32 advertised via ExpressRoute might be prioritized over the IPsec VPN route because:
   • ExpressRoute is a Microsoft-managed route, and Azure treats these routes as higher precedence compared to custom IPsec routes.
   • Traffic selectors in IPsec VPN are typically only used to establish the tunnel and are not actively enforced for routing decisions in Azure unless explicitly configured.
3. Overlapping Prefixes
   • You mention that IPsec is using 172.16.1.240/32 while ExpressRoute advertises 172.16.1.0/32. If the system route for 172.16.1.0/32 via ExpressRoute exists, it might override the longer prefix match of 172.16.1.240/32 due to route type precedence.
4. Traffic Selector Scope Traffic selectors do not directly impact Azure's route selection; they only negotiate which traffic is allowed to pass through the IPsec tunnel. If Azure's routing table directs traffic via ExpressRoute, it will bypass the tunnel, regardless of the selectors.

To address this, you might consider the following:

Option 1: Use a User-Defined Route (UDR)

1. Create a UDR for the Azure subnets that need to communicate with the on-prem network.
2. Add a UDR with the destination 172.16.1.240/32 (or other specific prefixes for on-prem) and specify the virtual network gateway (used for the IPsec tunnel) as the next hop.
3. Associate the UDR with the subnets where the spoke resources are deployed.

Option 2: Advertise More Specific Prefixes via IPsec If possible, configure the on-premises side of the IPsec VPN to advertise the specific prefix 172.16.1.240/32 instead of or in addition to 172.16.1.0/32. This ensures the IPsec route is considered a better match by Azure's routing logic.

Option 3: Adjust ExpressRoute Advertisements

• If you can, stop advertising 172.16.1.0/32 via BGP over ExpressRoute. This will force Azure to route traffic for 172.16.1.240/32 through the IPsec tunnel.

Option 4: Configure BGP for the IPsec VPN Enabling BGP for the IPsec VPN allows you to advertise routes dynamically. Azure will evaluate all routes and prioritize based on longest prefix match and route type precedence.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

@Ali Shaikh ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I see you are following Configure a Site-to-Site VPN connection over ExpressRoute private peering.

Wrt your verbatim,

1 . I am not sure how you say Azure advertises "10.247.218.128/26 over IPSec" and "10.247.218.0/24 over ExR"

• This is not correct
• Azure will always advertise the entire Azure VNET's range(and peered VNETs) in both the case.
• See : Traffic advertised from Azure
• This means, you have to make sure that the OnPrem routes the traffic to Azure in the desired way. i.e., either via VPN Device or ExR

2 . You also mentioned On Prem Network advertises "172.16.1.240/32 over IPSec" and "172.16.1.0/24 over ExR"

• In this case, traffic from Azure to OnPREM destined to 172.16.1.240/32 should go via IPSec tunnel only.
• I believe this is because BGP is not employed here
• I see the recommendation here is to use BGP, refer : Route Traffic from Azure to on-premises networks
  • And the only option mentioned here is to Advertise more specific prefixes on the VPN BGP session when there is a overlap between the address prefixes of the ExR and VPN.

I would suggest you start using BGP if you would like to route traffic via IPSec

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.