You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/virtual-wan/about-virtual-hub-routing-preference.md
+27-24Lines changed: 27 additions & 24 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,11 +1,11 @@
1
1
---
2
2
title: 'Virtual WAN virtual hub routing preference'
3
3
titleSuffix: Azure Virtual WAN
4
-
description: Learn about Virtual WAN Virtual virtual hub routing preference.
4
+
description: Learn about Virtual WAN virtual hub routing preference.
5
5
author: cherylmc
6
6
ms.service: virtual-wan
7
7
ms.topic: conceptual
8
-
ms.date: 07/28/2023
8
+
ms.date: 03/27/2024
9
9
ms.author: cherylmc
10
10
---
11
11
# Virtual hub routing preference
@@ -19,47 +19,50 @@ The virtual hub router takes routing decisions using built-in route selection al
19
19
This section explains the route selection algorithm in a virtual hub along with the control provided by HRP. When a virtual hub has multiple routes to a destination prefix for on-premises, the best route or routes are selected in the order of preference as follows:
20
20
21
21
1. Select routes with Longest Prefix Match (LPM).
22
+
1. Prefer static routes learned from the virtual hub route table over BGP routes.
23
+
1. Select best path based on the virtual hub routing preference configuration.
22
24
23
-
1. Prefer static routes over BGP routes.
25
+
You can select one of the three possible virtual hub routing preference configurations: ExpressRoute, VPN, or AS Path. Each configuration is slightly different. Route rules are processed sequentially within the selected configuration until a match is made.
24
26
25
-
1. Select best path based on the HRP configuration. There are three possible configurations for HRP and the route preference changes accordingly.
27
+
***ExpressRoute** (This is the default setting)
26
28
27
-
***ExpressRoute** (This is the default setting.)
29
+
1. Prefer routes from local virtual hub connections over routes learned from remote virtual hub.
30
+
1. If there are Routes from both ExpressRoute and Site-to-site VPN connections:
28
31
29
-
1. Prefer routes from connections local to a virtual hub over routes learned from remote hub.
30
-
1. If there are still routes from both ER and S2S VPN connections, then see below. Else proceed to the next rule.
31
-
* If all the routes are local to the hub, then choose routes learned from ER connections because HRP is set to ER.
32
-
* If all the routes are through remote hubs, then choose route from S2S VPN connection over ER connections because any transit between ER to ER is supported only if the circuits have ER Global Reach enabled and an Azure Firewall or NVA is provisioned inside the virtual hub.
33
-
1. Then, prefer the routes with the shortest BGP AS-Path length.
32
+
* If all the routes are local to the virtual hub, the routes learned from ExpressRoute connections will be chosen because Virtual hub routing preference is set to ExpressRoute.
33
+
* If all the routes are through remote hubs, Site-to-site VPN will be preferred over ExpressRoute.
34
+
1. Prefer routes with the shortest BGP AS-Path length.
34
35
35
-
***VPN**
36
+
***VPN**
36
37
37
-
1. Prefer routes from connections local to a virtual hub over routes learned from remote hub.
38
-
1. If there are routes from both ER and S2S VPN connections, then choose S2S VPN routes.
39
-
1.Then, prefer the routes with the shortest BGP AS-Path length.
38
+
1. Prefer routes from local virtual hub connections over routes learned from remote virtual hub.
39
+
1. If there are routes from both ExpressRoute and Site-to-site VPN connections, the Site-to-site VPN routes will be chosen.
40
+
1.Prefer routes with the shortest BGP AS-Path length.
40
41
41
-
***AS Path**
42
+
***AS Path**
42
43
43
-
1. Prefer routes with the shortest BGP AS-Path length irrespective of the source of the route advertisements. For example, whether the routes are learned from on-premises connected via S2S VPN or ER.
44
-
1. Prefer routes from connections local to the virtual hub over routes learned from remote hub.
45
-
1. If there are routes from both ER and S2S VPN connections, then see below. Else proceed to the next rule.
46
-
* If all the routes are local to the virtual hub, then choose routes from ER connections.
47
-
* If all the routes are through remote virtual hubs, then choose routes from S2S VPN connections.
44
+
1. Prefer routes with the shortest BGP AS-Path length irrespective of the source of the route advertisements. Note: In vWANs with multiple remote virtual hubs, if there's a tie between remote ExpressRoute routes and remote site-to-site VPN routes, remote site-to-site VPN routes will be preferred.
45
+
46
+
1. Prefer routes from local virtual hub connections over routes learned from remote virtual hub.
47
+
1. If there are routes from both ExpressRoute and Site-to-site VPN connections:
48
+
49
+
* If all the routes are local to the virtual hub, the routes from ExpressRoute connections will be chosen.
50
+
* If all the routes are through remote virtual hubs, the routes from Site-to-site VPN connections will be chosen.
48
51
49
52
**Things to note:**
50
53
51
54
* When there are multiple virtual hubs in a Virtual WAN scenario, a virtual hub selects the best routes using the route selection algorithm described above, and then advertises them to the other virtual hubs in the virtual WAN.
52
-
* For a given set of destination route-prefixes, if the ExpressRoute routes are preferred and the ExpressRoute connection subsequently goes down, then routes from S2S VPN or SD-WAN NVA connections will be preferred for traffic destined to the same route-prefixes. When the ExpressRoute connection is restored, traffic destined for these route-prefixes may continue to prefer the S2S VPN or SD-WAN NVA connections. To prevent this from happening, you need to configure your on-premises device to utilize AS-Path prepending for the routes being advertised to your S2S VPN Gateway and SD-WAN NVA, as you need to ensure the AS-Path length is longer for VPN/NVA routes than ExpressRoute routes.
55
+
* For a given set of destination route-prefixes, if the ExpressRoute routes are preferred and the ExpressRoute connection subsequently goes down, then routes from S2S VPN or SD-WAN NVA connections will be preferred for traffic destined to the same route-prefixes. When the ExpressRoute connection is restored, traffic destined for these route-prefixes might continue to prefer the S2S VPN or SD-WAN NVA connections. To prevent this from happening, you need to configure your on-premises device to utilize AS-Path prepending for the routes being advertised to your S2S VPN Gateway and SD-WAN NVA, as you need to ensure the AS-Path length is longer for VPN/NVA routes than ExpressRoute routes.
53
56
54
57
## Routing scenarios
55
58
56
59
Virtual WAN hub routing preference is beneficial when multiple on-premises are advertising routes to same destination prefixes, which can happen in customer Virtual WAN scenarios that use any of the following setups.
57
60
58
-
* Virtual WAN hub using ER connections as primary and VPN connections as back-up.
61
+
* Virtual WAN hub using ER connections as primary and VPN connections as backup.
59
62
* Virtual WAN with connections to multiple on-premises and customer is using one on-premises site as active, and another as standby for a service deployed using the same IP address ranges in both the sites.
60
63
* Virtual WAN has both VPN and ER connections simultaneously and the customer is distributing services across connections by controlling route advertisements from on-premises.
61
64
62
-
The example below is a hypothetical Virtual WAN deployment that encompasses multiple scenarios described above. We'll use it to demonstrate the route selection by a virtual hub.
65
+
The following example is a hypothetical Virtual WAN deployment that encompasses multiple scenarios described earlier. We'll use it to demonstrate the route selection by a virtual hub.
63
66
64
67
A brief overview of the setup:
65
68
@@ -68,7 +71,7 @@ A brief overview of the setup:
68
71
69
72
:::image type="content" source="./media/about-virtual-hub-routing-preference/diagram.png" alt-text="Example diagram for hub-route-preference scenario." lightbox="./media/about-virtual-hub-routing-preference/diagram.png":::
70
73
71
-
Let’s say there are flows from a virtual network VNET1 connected to Hub_1 to various destination route-prefixes advertised by the on-premises. The path that each of those flows takes for different configurations of Virtual WAN **hub routing preference** on Hub_1 and Hub_2 is described in the tables below. The paths have been labeled in the diagram and referred to in the tables below for ease of understanding.
74
+
Let’s say there are flows from a virtual network VNET1 connected to Hub_1 to various destination route-prefixes advertised by the on-premises. The path that each of those flows takes for different configurations of Virtual WAN **hub routing preference** on Hub_1 and Hub_2 is described in the following tables. The paths have been labeled in the diagram and referred to in the tables for ease of understanding.
Copy file name to clipboardExpand all lines: articles/virtual-wan/virtual-wan-faq.md
+7-32Lines changed: 7 additions & 32 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ author: cherylmc
5
5
ms.service: virtual-wan
6
6
ms.custom: devx-track-azurepowershell
7
7
ms.topic: faq
8
-
ms.date: 10/30/2023
8
+
ms.date: 03/27/2024
9
9
ms.author: cherylmc
10
10
# Customer intent: As someone with a networking background, I want to read more details about Virtual WAN in a FAQ format.
11
11
---
@@ -46,7 +46,7 @@ Virtual WAN supports [Azure VPN client](https://go.microsoft.com/fwlink/?linkid=
46
46
47
47
### For User VPN (point-to-site)- why is the P2S client pool split into two routes?
48
48
49
-
Each gateway has two instances, the split happens so that each gateway instance can independently allocate client IPs for connected clients and traffic from the virtual network is routed back to the correct gateway instance to avoid inter-gateway instance hop.
49
+
Each gateway has two instances. The split happens so that each gateway instance can independently allocate client IPs for connected clients and traffic from the virtual network is routed back to the correct gateway instance to avoid inter-gateway instance hop.
50
50
51
51
### How do I add DNS servers for P2S clients?
52
52
@@ -311,32 +311,7 @@ Yes. Customers can now create more than one hub in the same region for the same
311
311
312
312
### How does the virtual hub in a virtual WAN select the best path for a route from multiple hubs?
313
313
314
-
If a virtual hub learns the same route from multiple remote hubs, the order in which it decides is as follows:
315
-
1. Select routes with Longest Prefix Match (LPM).
316
-
2. Prefer static routes learned from the virtual hub route table over BGP routes.
317
-
3. Select best path based on the [Virtual hub routing preference](about-virtual-hub-routing-preference.md) configuration. There are three possible configurations for Virtual hub routing preference and the route preference changes accordingly.
318
-
319
-
* **ExpressRoute** (This is the default setting)
320
-
1. Prefer routes from local virtual hub connections over routes learned from remote virtual hub.
321
-
2. If there are Routes from both ExpressRoute and Site-to-site VPN connections:
322
-
* If all the routes are local to the virtual hub, the routes learned from ExpressRoute connections will be chosen because Virtual hub routing preference is set to ExpressRoute.
323
-
* If all the routes are through remote hubs, Site-to-site VPN will be preferred over ExpressRoute.
324
-
3. Prefer routes with the shortest BGP AS-Path length.
325
-
326
-
* **VPN**
327
-
1. Prefer routes from local virtual hub connections over routes learned from remote virtual hub.
328
-
2. If there are routes from both ExpressRoute and Site-to-site VPN connections, the Site-to-site VPN routes will be chosen.
329
-
3. Prefer routes with the shortest BGP AS-Path length.
330
-
331
-
* **AS Path**
332
-
1. Prefer routes with the shortest BGP AS-Path length irrespective of the source of the route advertisements.
333
-
Note: In vWANs with multiple remote virtual hubs, If there's a tie between remote routes and remote site-to-site VPN routes. Remote site-to-site VPN will be preferred.
334
-
335
-
2. Prefer routes from local virtual hub connections over routes learned from remote virtual hub.
336
-
3. If there are routes from both ExpressRoute and Site-to-site VPN connections:
337
-
* If all the routes are local to the virtual hub, the routes from ExpressRoute connections will be chosen.
338
-
* If all the routes are through remote virtual hubs, the routes from Site-to-site VPN connections will be chosen.
339
-
314
+
For information, see the [Virtual hub routing preference](about-virtual-hub-routing-preference.md) page.
340
315
341
316
### Does the Virtual WAN hub allow connectivity between ExpressRoute circuits?
342
317
@@ -374,7 +349,7 @@ The current behavior is to prefer the ExpressRoute circuit path for standalone (
374
349
375
350
In Azure portal, the **Allow traffic from remote Virtual WAN networks** and **Allow traffic from non Virtual WAN networks** toggles allow connectivity between the standalone virtual network (VNet 4) and the spoke virtual networks directly connected to the Virtual WAN hub (VNet 2 and VNet 3). To allow this connectivity, both toggles need to be enabled: the **Allow traffic from remote Virtual WAN networks** toggle for the ExpressRoute gateway in the standalone virtual network and the **Allow traffic from non Virtual WAN networks** for the ExpressRoute gateway in the Virtual WAN hub. In the diagram below, if both of these toggles are enabled, then connectivity would be allowed between the standalone VNet 4 and the VNets directly connected to hub 2 (VNet 2 and VNet 3). If an Azure Route Server is deployed in standalone VNet 4, and the Route Server has [branch-to-branch](../route-server/quickstart-configure-route-server-portal.md#configure-route-exchange) enabled, then connectivity will be blocked between VNet 1 and standalone VNet 4.
376
351
377
-
Enabling or disabling the toggle will only affect the following traffic flow: traffic flowing between the Virtual WAN hub and standalone VNet(s) via the ExpressRoute circuit. Enabling or disabling the toggle will **not** incur downtime for all other traffic flows (Ex: on-premises site to spoke VNet 2 will not be impacted, VNet 2 to VNet 3 will not be impacted, etc).
352
+
Enabling or disabling the toggle will only affect the following traffic flow: traffic flowing between the Virtual WAN hub and standalone VNet(s) via the ExpressRoute circuit. Enabling or disabling the toggle will **not** incur downtime for all other traffic flows (Ex: on-premises site to spoke VNet 2 won't be impacted, VNet 2 to VNet 3 won't be impacted, etc).
378
353
379
354
:::image type="content" source="./media/virtual-wan-expressroute-portal/expressroute-bowtie-virtual-network-virtual-wan.png" alt-text="Diagram of a standalone virtual network connecting to a virtual hub via ExpressRoute circuit." lightbox="./media/virtual-wan-expressroute-portal/expressroute-bowtie-virtual-network-virtual-wan.png":::
380
355
@@ -433,7 +408,7 @@ Yes, BGP communities generated by on-premises will be preserved in Virtual WAN.
433
408
434
409
### Is there a way to change the ASN for a VPN gateway?
435
410
436
-
No. Virtual WAN does not support ASN changes for VPN gateways.
411
+
No. Virtual WAN doesn't support ASN changes for VPN gateways.
437
412
438
413
### In Virtual WAN, what are the estimated performances by ExpressRoute gateway SKU?
439
414
@@ -469,7 +444,7 @@ Additional things to note:
469
444
470
445
* If you change your spoke virtual network's subscription status from disabled to enabled and then upgrade the virtual hub, you'll need to update your virtual network connection after the virtual hub upgrade (Ex: you can configure the virtual network connection to propagate to a dummy label).
471
446
472
-
* If your hub is connected to a large number of spoke virtual networks (60 or more), then you may notice that 1 or more spoke VNet peerings will enter a failed state after the upgrade. To restore these VNet peerings to a successful state after the upgrade, you can configure the virtual network connections to propagate to a dummy label, or you can delete and recreate these respective VNet connections.
447
+
* If your hub is connected to a large number of spoke virtual networks (60 or more), then you might notice that 1 or more spoke VNet peerings will enter a failed state after the upgrade. To restore these VNet peerings to a successful state after the upgrade, you can configure the virtual network connections to propagate to a dummy label, or you can delete and recreate these respective VNet connections.
473
448
474
449
### Is there a route limit for OpenVPN clients connecting to an Azure P2S VPN gateway?
475
450
@@ -504,7 +479,7 @@ At this time, advanced notification can't be enabled for the maintenance of Netw
504
479
505
480
At this time, you need to configure a minimum of a five hour window in your preferred time zone.
506
481
507
-
### Can I configure a maintenance schedule that does not repeat daily?
482
+
### Can I configure a maintenance schedule that doesn't repeat daily?
508
483
509
484
At this time, you need to configure a daily maintenance window.
0 commit comments