Skip to content

Commit c883c65

Browse files
Merge pull request #285334 from wtnlee/routingintentlimitsupdate
first draft
2 parents 63c4801 + 6e09198 commit c883c65

File tree

1 file changed

+49
-0
lines changed

1 file changed

+49
-0
lines changed

articles/virtual-wan/how-to-routing-policies.md

Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -96,6 +96,55 @@ Consider the following configuration where Hub 1 (Normal) and Hub 2 (Secured) ar
9696
* Network Virtual Appliances (NVAs) can only be specified as the next hop resource for routing intent if they're Next-Generation Firewall or dual-role Next-Generation Firewall and SD-WAN NVAs. Currently, **checkpoint**, **fortinet-ngfw** and **fortinet-ngfw-and-sdwan** are the only NVAs eligible to be configured to be the next hop for routing intent. If you attempt to specify another NVA, Routing Intent creation fails. You can check the type of the NVA by navigating to your Virtual Hub -> Network Virtual Appliances and then looking at the **Vendor** field. [**Palo Alto Networks Cloud NGFW**](how-to-palo-alto-cloud-ngfw.md) is also supported as the next hop for Routing Intent, but is considered a next hop of type **SaaS solution**.
9797
* Routing Intent users who want to connect multiple ExpressRoute circuits to Virtual WAN and want to send traffic between them via a security solution deployed in the hub can enable open up a support case to enable this use case. Reference [enabling connectivity across ExpressRoute circuits](#expressroute) for more information.
9898

99+
### Virtual Network Address Space Limits
100+
101+
> [!NOTE]
102+
> The maximum number of Virtual Network address spaces that you can connect to a single Virtual WAN hub is adjustable. Open an Azure support case to request a limit increase. The limits are applicable at the Virtual WAN hub level. If you have multiple Virtual WAN hubs that require a limit increase, request a limit increase for all Virtual WAN hubs in your Virtual WAN deployment.
103+
104+
For customers using routing intent, the maximum number of address spaces across all Virtual Networks **directly connected** to a single Virtual WAN hub is 400. This limit is applied individually to each Virtual WAN hub in a Virtual WAN deployment. Virtual Network address spaces connected to **remote** (other Virtual WAN hubs in the same Virtual WAN) hubs are **not** counted towards this limit.
105+
106+
If the number of directly connected Virtual Network address spaces connected to a hub exceeds the limit, enabling or updating routing intent on the Virtual Hub will fail. For hubs already configured with routing intent where Virtual Network address spaces exceeds the limit as a result of an operation such as a Virtual Network address space update, the newly connected address space may not be routable.
107+
108+
Proactively request a limit increase if the total number of address spaces across all locally connected Virtual Networks exceeds 90% of the documented limit or if you have any planned network expansion or deployment operations that will increase the number of Virtual Network address spaces past the limit.
109+
110+
The following table provides example Virtual Network address space calculations.
111+
112+
|Virtual Hub| Virtual Network Count| Address spaces per Virtual Network | Total number of Virtual Network address spaces connected to Virtual Hub| Suggested Action|
113+
|--|--|--|--|--|
114+
| Hub #1| 200| 1 | 200| No action required, monitor address space count.|
115+
| Hub #2| 150 | 3 | 450| Request limit increase to use routing intent.|
116+
| Hub #3 |370 | 1| 370| Request limit increase.|
117+
118+
You can use the following Powershell script to approximate the number of address spaces in Virtual Networks connected to a single Virtual WAN hub. Run this script for all Virtual WAN hubs in your Virtual WAN. An Azure Monitor metric to allow you to track and configure alerts on connected Virtual Network address spaces is on the roadmap.
119+
120+
Make sure to modify the resource ID of the Virtual WAN Hub in the script to match your environment. If you have cross-tenant Virtual Network connections, make sure you have sufficient permissions to read the Virtual WAN Virtual Network connection object as well as the connected Virtual Network resource.
121+
122+
```powershell-interactive
123+
$hubVNETconnections = Get-AzVirtualHubVnetConnection -ParentResourceId "/subscriptions/<subscription id>/resourceGroups/<resource group name>/providers/Microsoft.Network/virtualHubs/<virtual hub name>"
124+
$addressSpaceCount = 0
125+
126+
foreach($connection in $hubVNETconnections) {
127+
try{
128+
$resourceURI = $connection.RemoteVirtualNetwork.Id
129+
$RG = ($resourceURI -split "/")[4]
130+
$name = ($resourceURI -split "/")[8]
131+
$VNET = Get-AzVirtualNetwork -Name $name -ResourceGroupName $RG -ErrorAction "Stop"
132+
$addressSpaceCount += $VNET.AddressSpace.AddressPrefixes.Count
133+
}
134+
catch{
135+
Write-Host "An error ocurred while processing VNET connected to Virtual WAN hub with resource URI: " -NoNewline
136+
Write-Host $resourceURI
137+
Write-Host "Error Message: " -ForegroundColor Red
138+
Write-Host $_.Exception.Message -ForegroundColor Red
139+
}
140+
finally{
141+
}
142+
}
143+
Write-Host "Total Address Spaces in VNETs connected to this Virtual WAN Hub: " -ForegroundColor Green -NoNewline
144+
Write-Host $addressSpaceCount -ForegroundColor Green
145+
```
146+
147+
99148
## Considerations
100149

101150
Customers who are currently using Azure Firewall in the Virtual WAN hub without Routing Intent may enable routing intent using Azure Firewall Manager, Virtual WAN hub routing portal or through other Azure management tools (PowerShell, CLI, REST API).

0 commit comments

Comments
 (0)