Search code examples
azureazure-virtual-networkexpress-routerbgpon-premise2cloud

Handling route servers in ExpressRoute circuit migration

I am currently working on migrating my company's Azure ExpressRoute circuits. We are switching our SDWAN provider, and I've been following the Microsoft documentation on the procedure from here. For background, we use a hub-and-spoke network topology in Azure, and our current ER circuit sits in the hub VNET. I have provisioned a new ER circuit, created a test VNET and VGW, and peered the new circuit to that VGW. Now I am running into issues verifying connectivity because of our firewall setup.

We have a firewall inspecting all traffic going over ExpressRoute. We have an ARS in the hub VNET which is peered to the FW to propagate BGP routes. Since our test VNET doesn't have an ARS, I can't get a proper connection going over the new circuit. The way I see it, I have 2 options to address this:

  1. Create a new ARS in the test VNET and peer it to the FW
  2. Peer my test vnet to the prod VNET to allow it to use the hub's ARS

If I go with option 1, I am going to need to do a bunch of work testing/applying filters to avoid asymmetrical routing (plus change control paperwork). Option 2 is faster, but I need to know the exact configuration to apply to the VNET peering to avoid any unintended consequences. This is the current peering config I am thinking of trying: Proposed VNET peering configuration

My question is: would option 2 work, and if so is my proposed configuration going to cause problems? I am really just looking for a quicker solution than messing with our FW config. Please let me know if there's any additional information I can provide, I'm a cloud application developer first so this is a bit outside of my expertise.

Solution

  • The hub VNET has an existing Azure Route Server (ARS) used for BGP route propagation and a firewall inspecting all traffic going through ExpressRoute.

    • Go to the Azure Portal, navigate to Virtual networks > Create. Set the name to vnet-ertesting and configure the address space (e.g., 10.2.0.0/16).
    • Add a subnet (e.g., default) and set its address range (e.g., 10.2.0.0/42).

    In ExpressRoute circuits, select the new circuit. Connect it to the VGW in vnet-ertesting using the Azure Portal or Azure CLI.

    Configure the peering settings

    • Allow vnet-ertesting to access the peered virtual network
    • Allow vnet-ertesting to receive forwarded traffic - (uncheck)
    • Allow gateway or route server in vnet-ertesting to forward traffic: - (uncheck)
    • Enable vnet-ertesting to use the peered virtual network’s remote gateway or route server

    You should see routes being propagated from the ARS in the hub VNET, including those learned via BGP from the ExpressRoute circuit.

    Result:
    enter image description here