locked
Transit routing with express route and VPN RRS feed

  • Question

  • We have an on premises site (lets call this A), and two Azure tenants (lets call them B and C).

    A and B are connected via a private express route connection, and a redundant site to site VPN connection.

    C is connected to B via a VNET to VNET connection, with BGP enabled.

    In this scenario, transit routing is working. Traffic flows between A and C via B. However it doesn't use the express route connection between A and B, which is preferred. It's using the VPN connection instead.

    I suspect this is because the VNET to VNET connection between B and C terminates on the same gateway as the VPN connection between A and B.

    So my question is, how do we get transit routing working between A and C so that the traffic flows via the express route connection, with the VPN only to be used as a backup? Bearing in mind, we can't use VNET peering between B and C because these are separate tenants.

    Thursday, June 14, 2018 6:30 AM

Answers

  • Now that Microsoft allows VNET Peering across AAD tenants, this is no longer an issue for us.
    • Marked as answer by aconn21 Tuesday, October 23, 2018 5:02 AM
    Tuesday, October 23, 2018 5:02 AM

All replies

  • This can be caused by BGP not being enabled on one of your gateways, or an issue with your ExpressRoute between A & B.

    I would first make sure that BGP is enabled everywhere, and next make sure that your ExpressRoute is functioning properly. 

    Are you using an NVA (Networking Virtual Appliance) in any of your Azure Virtual Networks?

    Thursday, June 14, 2018 10:26 PM
  • BGP is enabled on all gateways. We are not using an NVA in any of our Azure networks.

    I've tested this in a different way whereby B and C are not separate tenants and therefore used VNET Peering between B and C. This works, the traffic routed correctly via express route between A and B, then onto C.

    However when VNET peering can't be used (due to them being different tenants), and therefore I need to create a VNET 2 VNET connection between B and C instead. Then it seems to prefer using the VPN connection between A and B instead of express route. Is there a way to change this perhaps by using a static routing table in Azure? While still allowing BGP to propogate.


    Thursday, June 14, 2018 11:51 PM
  • Traffic should always prioritize the ER Gateway over a Site to Site VPN, and there is not a way to override this behavior. 

    Something abnormal is happening, and I think it is best to open a CSS case so that they can look into this issue with more depth. If you do not have a support plan, please let me know and I can assist you with opening a free case for this issue.  

    If you do have a support plan, please share the SR# (Support Request Number) so that I can help the support engineer get any background they need. 

    Tuesday, June 19, 2018 10:08 PM
  • Yes you are correct ! VNET to VNET connection terminates on the VPN gateway not on the ER gateway as ER connection is on BGP. 

    Work around: I would suggest you to link VNET C to the same ER circuit to communicate with your premises network A. 

    Steps to follow:

    1. Create a ER gateway in VNET C

    2. Create an authorization on ER circuit.

    3. Redeem the authorization to connect VNET C to the same ER circuit.

    You can follow the below article to achieve this. 

    https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-linkvnet-portal-resource-manager

    If the above solution is helpful feel free to mark this as an answer to help other community members.

    Thursday, October 11, 2018 8:17 AM
  • Now that Microsoft allows VNET Peering across AAD tenants, this is no longer an issue for us.
    • Marked as answer by aconn21 Tuesday, October 23, 2018 5:02 AM
    Tuesday, October 23, 2018 5:02 AM