Share via

Dynamic routing with VPN Gateway and with inspection by NVA

Cat Mucius 71 Reputation points
2024-10-18T18:44:54.4966667+00:00

I'm searching for possibility to implement a topology like this:

Spoke VNETs <====> NVA, for instance FortiGate <=====> VPN Gateway <=====> on-premises

To implement this with static routing is pretty straightforward, but has irritating limitations:

  • If I place the NVA and the VPN Gateway in the same HUB VNET, while enabling the Enable Spoke-VNET to use HUB-VNET's remote gateway or route server option - then narrow on-premises prefixes learned from VPN Gateway will override more generic prefixes in Spoke VNET UDRs, which steer traffic towards on-premises to the NVA for inspection. I'll need to override each one of them in the UDRs, which is not practical.
  • If I place them in the same HUB VNET without enabling this option, or if I place the VPN Gateway in a VNET not peered directly with Spokes - then the VPN Gateway won't know IP ranges of Spoke VNETs. It still will deliver traffic for them to the NVA by means of a UDR applied to its GatewaySubnet, but if the VPN Gateway will learn some prefix overlapping with Spoke VNET's prefix from one of its BGP-over-IPsec peers - it will send the traffic there instead of delivering it to the NVA, and communication will fail.

Example - UDR of GatewaySubnet says "deliver traffic to 10.0.0.0.0/0 via NVA".
The Spoke VNET's range is 10.11.12.0/24.
If the VPN Gateway doesn't learn it automatically from the SDN, while learning a prefix 10.11.0.0/16 from some its BGP peer - then traffic to 10.11.12.0/24 will be sent to this peer instead of the Spoke.

I'm looking for solution that would allow:

  1. Spoke VNETs to deliver traffic to the NVA - without me having to override by UDRs each narrow prefix injected to them by the VPN Gateway.
  2. VPN Gateways to learn automatically prefixes of Spoke VNETs - while still delivering traffic to them via the NVA.

Is such this possible? With Route Server or without?

Thanks!
Mucius.

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,543 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,472 questions
Azure Route Server
Azure Route Server
An Azure service that enables network appliances to exchange route information with Azure virtual networks dynamically.
10 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Luis Arias 6,796 Reputation points
    2024-10-18T22:13:06.6233333+00:00

    Hi Cat Mucius,

    I understand that you want to allow Spoke VNETs to send traffic to NVA without manual UDR overrides for each prefix from VPN Gateway and also enable VPN Gateways to automatically learn Spoke VNETs' prefixes and route traffic via NVA. Your actual configuration can be showed as this one:

    User's image

    The solution will require deploy an Azure Route Server in the HUB VNET, This enables dynamic route propagation and learning between components. Bellow configuration required:

    • Peer the NVA with the Azure Route Server to advertise learned routes.
    • Peer the VPN Gateway with the Azure Route Server to dynamically learn Spoke VNET prefixes.
    • On Spoke VNETs set a default route (0.0.0.0/0) pointing to the NVA for outgoing traffic
    • On HUB VNET GatewaySubnet include a UDR to send all traffic destined for on-premises to the NVA first, then to the VPN Gateway.

    Therefore the Traffic Flow on Spoke VNETs send traffic to the NVA due to the default route and VPN Gateway learns Spoke VNET prefixes from the Route Server and routes traffic through the NVA, ensuring traffic inspection before it reaches its destination.

    User's image

    This configuration, eliminates the need for manual UDR updates for each prefix and ensures all traffic from Spoke VNETs is inspected by the NVA before reaching on-premises or other destinations.

    References:

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    Regards,

    Luis

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.