Search code examples
azureazure-virtual-network

Advertise Spoke Routes to on-prem via Azure ExpressRoute in a Hub and Spoke Topology

I have a hub VNET peered to a spoke VNET in a hub and spoke topology with the hub connected to on-prem via an expressroute connection:

allow_forwarded_traffic = true allow_gateway_transit = true

Connectivity from the hub vnet to the on-prem network is fine.

The problem is I can only see the On-premise and Hub VNET Routes in the ExpressRoute Circuit Route table but not the spoke routes.

This means on-prem will not know of the spoke networks as they gradually get added to the hub.

What must be done to automatically have the VNET address space for the spoke networks get advertised down to on-prem via the ER Gateway ?

Solution

  • As mentioned in the ExpressRoute FAQ doc,

    The ExpressRoute gateway will advertise the Address Space(s) of the Azure VNet, you can't include/exclude at the subnet level. It's always the VNet Address Space that is advertised. Also, if VNet Peering is used and the peered VNet has "Use Remote Gateway" enabled, the Address Space of the peered VNet will also be advertised.

    You have mentioned that: allow_forwarded_traffic = true & allow_gateway_transit = true --> these options are for the Hub Vnet peering

    I would request you to validate the spoke Vnet peering configuration. It should have: allow_forwarded_traffic = true & Use_Remote_Gateways = true.

    If you have created the peering via Azure Portal, please make sure that "Use the remote virtual network's gateway or Route Server" option is selected on the spoke Vnet peering as below:

    enter image description here

    Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit

    If you have created the peering via Azure PowerShell or Azure CLI, please make sure that "-UseRemoteGateways/--use-remote-gateways" have been added on the spoke Vnet peering.

    Refer: https://learn.microsoft.com/en-us/powershell/module/az.network/add-azvirtualnetworkpeering?view=azps-9.2.0

    https://learn.microsoft.com/en-us/cli/azure/network/vnet/peering?view=azure-cli-latest#az-network-vnet-peering-create

    Once the "Use Remote Gateway" option is enabled on the spoke Vnet peering, the ExpressRoute gateway should advertise the spoke Vnet address space to your on-prem.

    If this option is already enabled and still the spoke Vnet range is not advertised, I would recommend you to delete and re-create the Vnet peering between the Hub Vnet and Spoke Vnet with the gateway transit and remote gateway options.