Merge pull request #250951 from halkazwini/rs-ts2

Add a new Q&A about forcing traffic to a firewall

Author: prmerger-automator[bot]

articles/route-server/troubleshoot-route-server.md

@@ -12,14 +12,25 @@ ms.date: 09/11/2023
 
 ## Connectivity issues
 
-### Why does my network virtual appliance (NVA) lose Internet connectivity after it advertises the default route (0.0.0.0/0) to Azure Route Server?
+### Why does my network virtual appliance (NVA) lose internet connectivity after it advertises the default route (0.0.0.0/0) to Azure Route Server?
 
-When your NVA advertises the default route, Azure Route Server programs it for all the virtual machines (VMs) in the virtual network including the NVA itself. This default route sets the NVA as the next hop for all Internet-bound traffic. If your NVA needs internet connectivity, you need to configure a [User Defined Route](../virtual-network/virtual-networks-udr-overview.md) to override this default route from the NVA and attach the UDR to the subnet where the NVA is hosted. Otherwise, the NVA host machine keeps sending the internet-bound traffic including the one sent by the NVA back to the NVA itself.
+When your NVA advertises the default route, Azure Route Server programs it for all the virtual machines (VMs) in the virtual network including the NVA itself. This default route sets the NVA as the next hop for all internet-bound traffic. If your NVA needs internet connectivity, you need to configure a user-defined route (UDR) to override this default route from the NVA and attach the UDR to the subnet where the NVA is hosted. Otherwise, the NVA host machine keeps sending the internet-bound traffic including the one sent by the NVA back to the NVA itself. For more information, see [user-defined routes](../virtual-network/virtual-networks-udr-overview.md#user-defined).
 
 | Route | Next hop |
 |-------|----------|
 | 0.0.0.0/0 | Internet |
 
+### Why does the NVA lose its connectivity to the Azure Route Server after forcing all traffic to a firewall using a user-defined route (UDR) on the GatewaySubnet?
+
+If you want to inspect your on-premises traffic using a firewall, you can force all on-premises traffic to the firewall using a user-defined route (UDR) on the GatewaySubnet (a route table associated to the GatewaySubnet that has the UDR). However, this UDR may break the communication between the Route Server and the gateway by forcing their control plane traffic (BGP) to the firewall (this issue occurs if you're inspecting the traffic destined to the virtual network that has the Route Server). To avoid this issue, you need to add another UDR to the GatewaySubnet route table to exclude control plane traffic from being forced to the firewall (in case adding a BGP rule to the firewall is not desired/possible):
+
+| Route | Next hop |
+|-------|----------|
+| 10.0.0.0/16 | 10.0.2.1 |
+| 10.0.1.0/27 | VirtualNetwork |
+
+10.0.0.0/16 is the address space of the virtual network and 10.0.1.0/27 is the address space of RouteServerSubnet. 10.0.2.1 is the IP address of the firewall.
+
 ### Why can't I TCP ping from my NVA to the BGP peer IP of the Azure Route Server after I set up the BGP peering between them?
 
 In some NVAs, you need to add a static route to the Azure Route Server subnet to be able to TCP ping the Route Server from the NVA and to avoid BGP peering flapping. For example, if Azure Route Server is in 10.0.255.0/27 and your NVA is in 10.0.1.0/24, you need to add the following route to the routing table in the NVA: