Skip to content

Commit a083c37

Browse files
Maggiemouse1Maggiemouse1
authored
Merge pull request #221705 from erjosito/patch-9
Added remark about RT in GatewaySubnet
2 parents caa025a + e4faf03 commit a083c37

File tree

3 files changed

+4
-4
lines changed

3 files changed

+4
-4
lines changed

articles/route-server/media/scenarios/route-injection-split-route-server-with-firewall.png

154 KB
Loading

articles/route-server/media/scenarios/route-injection-split-route-server.png

-3.19 KB
Loading

articles/route-server/route-injection-in-spokes.md

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -89,11 +89,11 @@ To propagate routes to the spokes the NVA uses a second Azure Route Server 2, de
8989

9090
The next hop for this `0.0.0.0/0` route will be the NVA, so the spokes still need to be peered to the hub VNet. Another important aspect to notice is that the hub VNet needs to be peered to the VNet where the new Azure Route Server 2 is deployed, otherwise it will not be able to create the BGP adjacency.
9191

92-
This design allows automatic injection of routes in a spoke VNets without interference from other routes learned from ExpressRoute, VPN or an SDWAN environment.
92+
If traffic from ExpressRoute to the spokes is to be sent to a firewall NVA for inspection, a route table in the GatewaySubnet is still required, otherwise the ExpressRoute Virtual Network Gateway will send packets straight to the Virtual Machines through the routes learnt from VNet peering. The routes in this route table should match the spoke prefixes, and the next hop should be the IP address of the firewall NVA (or the load balancer in front of the firewall NVAs, for redundancy). The firewall NVA can be the same as the SDWAN NVA in the diagram above, or it can be a different device such as Azure Firewall, since the SDWAN NVA can advertise routes with the next-hop pointing to other IP addresses. The following diagram shows this design with the addition of Azure Firewall:
9393

94-
> [!IMPORTANT]
95-
> This design requires a User-Defined Route (UDR) on the GatewaySubnet, programmed with the NVA as the next-hop for all peered Vnet traffic.
96-
>
94+
:::image type="content" source="./media/scenarios/route-injection-split-route-server-with-firewall.png" alt-text="This network diagram shows a basic hub and spoke topology with on-premises connectivity via ExpressRoute, an Azure Firewall and two Route Servers.":::
95+
96+
This design allows automatic injection of routes in a spoke VNets without interference from other routes learned from ExpressRoute, VPN or an SDWAN environment, and the addition of firewall NVAs for traffic inspection.
9797

9898
## Next steps
9999

0 commit comments

Comments
 (0)