route table related to site-to-site vpn between on-prime and azure

Gongya Yu 190

VPN-Topo

I have the topology above.
With the express router, I can see its route table with prefixes from both azure and on-prime, prefixes to on-prime with next-hop being on-prime bgp peer IP and prefixes to azure with next-hop being VGW peer IP. It seems automatic mutual-redistribution between azure and on-prime.

How does this work for site-to-site VPN?
I got VPN up and bgp up, but I can see VGW bgp peer table with the prefixes from on-prime.
vpn-bgp

Gongya Yu 190 Reputation points

2024-07-19T02:45:58.05+00:00

Sorry. figured it out. The first three lines points to VGW. thanks !!!
But it does not have the routes from vnet peerings.
But the effective routes on the virtual appliance does include the routes to on-prime.
Gongya Yu 190 Reputation points

2024-07-19T02:59:06.31+00:00

Don't understand why the prefixes from vnet peerings do not in this table ?

thanks !!
Gongya Yu 190 Reputation points

2024-07-19T05:04:38.55+00:00

I saw the following
Gongya Yu 190 Reputation points

2024-07-19T07:33:26.1433333+00:00

thanks so much !!
I do not understand traffic selector decides routes added to the VGW route table. I will give a try tomorrow.
Gongya Yu 190 Reputation points

2024-07-19T07:36:19.1766667+00:00

on-prime I have the following
set security ipsec vpn JCNAA-Connection-VPN ike proxy-identity local 0.0.0.0/0

set security ipsec vpn JCNAA-Connection-VPN ike proxy-identity remote 0.0.0.0/0

looks OK ?

thanks !!
Gongya Yu 190 Reputation points

2024-07-19T07:38:09.2533333+00:00

One more question.
If I shutdown all the devices in a vnet, is the vnet subnet still supposed to be advertised or added to the route table.

thanks !!

Accepted answer

KapilAnanth-MSFT 46,016 Reputation points Microsoft Employee

2024-07-19T05:09:47.38+00:00
@Gongya Yu ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

From your verbatim, I see

You have a VPN Gateway in a HubVNET and this VNET is peered to multiple spokes.

You checked the BGP Peering view of the HubVNET and you do not see the VNET Spokes being advertised

But from a NVA in the HubVNET , you are able to see the routes for peered VNETs.

Summary :

Seeing the NIC Effective routes in NVA and the VPN Gateway learned routes are not all related and you should not compare these two.

From the spokes, did you enable Gateway Transit on the peerings between the Spokes and the Hub?

Also your OnPrem should accept the traffic selector when Azure initiates a connection.

Cheers,

Kapil
Please sign in to rate this answer.
Gongya Yu 190 Reputation points

2024-07-19T07:30:35.53+00:00

Server Peering

KapilAnanth-MSFT 46,016 Reputation points Microsoft Employee

2024-07-19T07:36:20.3933333+00:00

@Gongya Yu ,

I assume "Server-Hub" VNET is the spoke

You should enable "Enable 'Server-vnet' to use "Hub-GW-vnet's'

remote gateway or route server" in this peering.

Gongya Yu 190 Reputation points

2024-07-19T08:03:23.4133333+00:00

thanks so much !!

It works after adjusting peering settings.

thanks so much for quick help !!

KapilAnanth-MSFT 46,016 Reputation points Microsoft Employee

2024-07-19T08:15:02.21+00:00

@Gongya Yu ,

I'm glad the issue has been resolved now.

I would greatly appreciate if you could Accept the answer and close this thread

Original posters help the community find answers faster by identifying the correct answer.

Wrt your question, "If I shutdown all the devices in a vnet, is the vnet subnet still supposed to be advertised or added to the route table."

Azure VPN Gateway will advertise the entire VNET Range even if there are no devices created/running in the VNET

Thanks for your continued contribution on Q&A and appreciate much for taking the time to share your feedback.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

route table related to site-to-site vpn between on-prime and azure

0 additional answers

Your answer