Dynamic routing with VPN Gateway and with inspection by NVA

Cat Mucius 71 Reputation points
2024-10-18T18:44:54.4966667+00:00

I'm searching for possibility to implement a topology like this:

Spoke VNETs <====> NVA, for instance FortiGate <=====> VPN Gateway <=====> on-premises

To implement this with static routing is pretty straightforward, but has irritating limitations:

  • If I place the NVA and the VPN Gateway in the same HUB VNET, while enabling the Enable Spoke-VNET to use HUB-VNET's remote gateway or route server option - then narrow on-premises prefixes learned from VPN Gateway will override more generic prefixes in Spoke VNET UDRs, which steer traffic towards on-premises to the NVA for inspection. I'll need to override each one of them in the UDRs, which is not practical.
  • If I place them in the same HUB VNET without enabling this option, or if I place the VPN Gateway in a VNET not peered directly with Spokes - then the VPN Gateway won't know IP ranges of Spoke VNETs. It still will deliver traffic for them to the NVA by means of a UDR applied to its GatewaySubnet, but if the VPN Gateway will learn some prefix overlapping with Spoke VNET's prefix from one of its BGP-over-IPsec peers - it will send the traffic there instead of delivering it to the NVA, and communication will fail.

Example - UDR of GatewaySubnet says "deliver traffic to 10.0.0.0.0/0 via NVA".
The Spoke VNET's range is 10.11.12.0/24.
If the VPN Gateway doesn't learn it automatically from the SDN, while learning a prefix 10.11.0.0/16 from some its BGP peer - then traffic to 10.11.12.0/24 will be sent to this peer instead of the Spoke.

I'm looking for solution that would allow:

  1. Spoke VNETs to deliver traffic to the NVA - without me having to override by UDRs each narrow prefix injected to them by the VPN Gateway.
  2. VPN Gateways to learn automatically prefixes of Spoke VNETs - while still delivering traffic to them via the NVA.

Is such this possible? With Route Server or without?

Thanks!
Mucius.

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,593 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,576 questions
Azure Route Server
Azure Route Server
An Azure service that enables network appliances to exchange route information with Azure virtual networks dynamically.
11 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Cat Mucius 71 Reputation points
    2024-10-25T23:34:05.5166667+00:00

    Figured out a partial solution:Routing_with_VPN_Gateway_and_NVA_-Solution-_BGP_based.drawio

    The idea is this:

    • Since the best way to inject routes into VPN Gateway's internal routing table is by BGP, nothing prevents us from establishing BGP-over-IPsec peerings between the Gateway and our firewall VMs.
    • So the firewall VMs will dynamically learn Spoke VNETs' prefixes from Azure Route Server and re-advertise them to the VPN Gateway instances.
    • The VPN Gateway will be deployed in a separate VNET, to avoid its GatewaySubnet learning direct routes to Spokes.

    The main problem of this solution is that it requires Active-Passive firewall setup, to keep traffic symmetry.

    Documented more details here:

    https://github.com/cat-mucius/kb/wiki/Dynamic-routing-with-Azure-VPN-Gateway-and-with-traffic-inspection-by-custom-firewall

    Update: judging by the "Direct routing to NVA instances for dual-role connectivity and firewall NVAs" section in Virtual WAN documentation, Microsoft themselves didn't find a good active-active solution for this problem. :-)

    Azure's software-defined networking platform doesn't guarantee flow-level symmetry, meaning the inbound flow to Azure and outbound flow from Azure can land on different instances of the NVA. This results in asymmetric routing which is dropped by stateful firewall inspection. Therefore, it isn't recommended to use active-active connectivity patterns where an NVA is behaving as a dual-role NVA unless the NVA can support asymmetric forwarding or support session sharing/synchronization.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.