|
1 | 1 | --- |
2 | | -title: 'About dual-homed network with Azure Route Server ' |
3 | | -description: Learn about how Azure Route Server works in a dual-homed network. |
| 2 | +title: About dual-homed network with Azure Route Server |
| 3 | +description: Learn how Azure Route Server works in a dual-homed network. |
4 | 4 | services: route-server |
5 | 5 | author: halkazwini |
6 | 6 | ms.service: route-server |
7 | 7 | ms.topic: conceptual |
8 | | -ms.date: 09/01/2021 |
| 8 | +ms.date: 01/27/2023 |
9 | 9 | ms.author: halkazwini |
| 10 | +ms.custom: template-concept, engagement-fy23 |
10 | 11 | --- |
11 | 12 |
|
12 | 13 | # About dual-homed network with Azure Route Server |
13 | 14 |
|
14 | | -In a typical hub and spoke architecture, application workloads are deployed in spoke VNets. These spokes are peered with a single hub VNet, which contains shared network resources such as VPN and ExpressRoute gateways. In some situations it can be desirable to peer spokes to more than one hub VNet, for example if multiple VPN or ExpressRoute Gateways are required for any reason. Azure Route Server enables this architecture so that workloads in a spoke VNet can communicate through either of the hub VNets it is connected to. |
| 15 | +In a typical hub and spoke architecture, application workloads are deployed in spoke virtual networks (VNets). These spokes are peered with a single hub VNet, which contains shared network resources such as VPN and ExpressRoute gateways. In some situations it can be desirable to peer spokes to more than one hub VNet, for example if multiple VPN or ExpressRoute Gateways are required for any reason. Azure Route Server enables this architecture so that workloads in a spoke VNet can communicate through either of the hub VNets it's connected to. |
15 | 16 |
|
16 | 17 | ## How to set it up |
17 | 18 |
|
18 | 19 | As can be seen in the following diagram, you need to: |
19 | 20 |
|
20 | | -* Deploy an NVA in each hub virtual network and the route server in the spoke virtual network. |
| 21 | +* Deploy a Network Virtual Appliance (NVA) in each hub virtual network and a route server in the spoke virtual network. |
21 | 22 | * Enable VNet peering between the hub and spoke virtual networks. |
22 | | -* Configure BGP peering between the Route Server and each NVA deployed. |
| 23 | +* Configure BGP peering between the route server and each NVA deployed. |
23 | 24 |
|
24 | 25 | :::image type="content" source="./media/about-dual-homed-network/dual-homed-topology.png" alt-text="Diagram of Route Server in a dual-homed topology."::: |
25 | 26 |
|
26 | 27 | ### How does it work? |
27 | 28 |
|
28 | | -In the control plane, the NVA and the Route Server will exchange routes as if they’re deployed in the same virtual network. The NVA will learn about spoke virtual network addresses from the Route Server. The Route Server will learn routes from each of the NVAs. The Route Server will then program all the virtual machines in the spoke virtual network with the routes it learned. |
| 29 | +In the control plane, the NVA and the route server will exchange routes as if they’re deployed in the same virtual network. The NVA will learn about spoke VNet addresses from the route server. The route server will learn routes from each of the NVAs. The route server will then program all the virtual machines in the spoke VNet with the routes it learned. |
29 | 30 |
|
30 | | -In the data plane, virtual machines in the spoke virtual network will see the security NVA or the VPN NVA in the hub as the next hop. Traffic destined for the Internet-bound traffic or the hybrid cross-premises traffic will now route through the NVAs in the hub virtual network. You can configure both hubs to be either active/active or active/passive. In the case when the active hub fails, the traffic to and from the virtual machines will fail over to the other hub. These failures include but not limited to: NVA failures or service connectivity failures. This set up ensures your network is configured for high availability. |
| 31 | +In the data plane, virtual machines in the spoke VNet will see the security NVA or the VPN NVA in the hub as the next hop. Traffic destined for the Internet-bound traffic or the hybrid cross-premises traffic will now route through the NVAs in the hub VNet. You can configure both hubs to be either active/active or active/passive. In the case when the active hub fails, the traffic to and from the virtual machines will fail over to the other hub. These failures include but not limited to: NVA failures or service connectivity failures. This set up ensures your network is configured for high availability. |
31 | 32 |
|
32 | 33 | ## Integration with ExpressRoute |
33 | 34 |
|
34 | 35 | You can build a dual-homed network that involves two or more ExpressRoute connections. Along with the steps described above, you'll need to: |
35 | 36 |
|
36 | | -* Create another Route Server in each hub virtual network that has an ExpressRoute gateway. |
37 | | -* Configure BGP peering between the NVA and the Route Server in the hub virtual network. |
38 | | -* [Enable route exchange](quickstart-configure-route-server-portal.md#configure-route-exchange) between the ExpressRoute gateway and the Route Server in the hub virtual network. |
| 37 | +* Create a route server in each hub VNet that has an ExpressRoute gateway. |
| 38 | +* Configure BGP peering between the NVA and the route server in the hub VNet. |
| 39 | +* [Enable route exchange](quickstart-configure-route-server-portal.md#configure-route-exchange) between the ExpressRoute gateway and the route server in the hub VNet. |
39 | 40 | * Make sure “Use Remote Gateway or Remote Route Server” is **disabled** in the spoke virtual network VNet peering configuration. |
40 | 41 |
|
41 | 42 | :::image type="content" source="./media/about-dual-homed-network/dual-homed-topology-expressroute.png" alt-text="Diagram of Route Server in a dual-homed topology with ExpressRoute."::: |
42 | 43 |
|
43 | 44 | ### How does it work? |
44 | 45 |
|
45 | | -In the control plane, the NVA in the hub virtual network will learn about on-premises routes from the ExpressRoute gateway through [route exchange](quickstart-configure-route-server-portal.md#configure-route-exchange) with the Route Server in the hub. In return, the NVA will send the spoke virtual network addresses to the ExpressRoute gateway using the same Route Server. The Route Server in both the spoke and hub virtual network will then program the on-premises network addresses to the virtual machines in their respective virtual network. |
| 46 | +In the control plane, the NVA in the hub VNet will learn about on-premises routes from the ExpressRoute gateway through [route exchange](quickstart-configure-route-server-portal.md#configure-route-exchange) with the route server in the hub. In return, the NVA will send the spoke VNet addresses to the ExpressRoute gateway using the same route server. The route server in both the spoke and hub VNets will then program the on-premises network addresses to the virtual machines in their respective virtual network. |
46 | 47 |
|
47 | 48 | > [!IMPORTANT] |
48 | | -> BGP prevents a loop by verifying the AS number in the AS Path. If the receiving router sees its own AS number in the AS Path of a received BGP packet, it will drop the packet. In this example, both Route Servers have the same AS number, 65515. To prevent each Route Server from dropping the routes from the other Route Server, the NVA must apply **as-override** BGP policy when peering with each Route Server. |
| 49 | +> BGP prevents a loop by verifying the AS number in the AS Path. If the receiving route server sees its own AS number in the AS Path of a received BGP packet, it will drop the packet. In this example, both route servers have the same AS number, 65515. To prevent each route server from dropping the routes from the other route server, the NVA must apply **as-override** BGP policy when peering with each route server. |
49 | 50 | > |
50 | 51 |
|
51 | | -In the data plane, the virtual machines in the spoke virtual network will send all traffic destined for the on-premises network to the NVA in the hub virtual network first. Then the NVA will forward the traffic to the on-premises network through ExpressRoute. Traffic from on-premises will traverse the same data path in the reverse direction. You'll notice neither of the Route Servers are in the data path. |
| 52 | +In the data plane, the virtual machines in the spoke VNet will send all traffic destined for the on-premises network to the NVA in the hub VNet first. Then the NVA will forward the traffic to the on-premises network through ExpressRoute. Traffic from on-premises will traverse the same data path in the reverse direction. You'll notice none of the route servers are in the data path. |
52 | 53 |
|
53 | 54 | ## Next steps |
54 | 55 |
|
55 | | -* [Learn how Azure Route Server works with ExpressRoute](expressroute-vpn-support.md) |
56 | | -* [Learn how Azure Route Server works with a network virtual appliance](resource-manager-template-samples.md) |
| 56 | +* Learn about [Azure Route Server support for ExpressRoute and Azure VPN](expressroute-vpn-support.md) |
| 57 | +* Learn how to [configure peering between Azure Route Server and Network Virtual Appliance](tutorial-configure-route-server-with-quagga.md) |
57 | 58 |
|
0 commit comments