top of page
Search

Which VWAN routes do you prefer?

  • Writer: joe parr
    joe parr
  • Jun 3, 2024
  • 3 min read

Recently I was exploring the different uses of Azure VWAN and noted a choice for routing preferences so I thought I would share my findings, but first, what is Azure VWAN?


Azure Virtual WAN (VWAN) is managed networking service from Microsoft Azure, streamlining connections between branches, users, and applications.


You have got multiple branch offices and need them to connect to each other?


VWAN is the one.



Want your users to securely connect and access data and workloads in Azure and on premises?


VWAN.


Multi-cloud deployments?


VWAN.


You get the picture.


Obviously, I have not gone into detail and would entirely depend on your set up and requirements, but I wanted to give you a flavour and introduction into Azure VWAN, before I delve into it's routing preferences. So, there you go.


And.. here I go, a brief, but deep trip into the world of its routing preferences.


But first.


The Algorithm


When selecting a route, Azure VWAN has a super secret algorithm that determines which route takes preference initially:


It goes routes with the Longest Prefix Match (LPM)...

Then static routes learned from the hub router over BGP...

Then the best path based on the virtual hub routing preference...

and then...

and then...


There is only 3 steps in the algorithm fyi...


Now for the routing preferences.


ExpressRoute - The Default


  • Prefer routes from local virtual hub connections over routes learned from remote virtual hub.

  • If there are Routes from both ExpressRoute and Site-to-site VPN connections:

    • If all the routes are local to the virtual hub, the routes learned from ExpressRoute connections will be chosen because Virtual hub routing preference is set to ExpressRoute.

    • If all the routes are through remote hubs, Site-to-site VPN will be preferred over ExpressRoute.

  • Prefer routes with the shortest BGP AS-Path length.

VPN - The Internet One


  1. Prefer routes from local virtual hub connections over routes learned from remote virtual hub.

  2. If there are routes from both ExpressRoute and Site-to-site VPN connections, the Site-to-site VPN routes will be chosen.

  3. Prefer routes with the shortest BGP AS-Path length.


AS Path - The BGP One


  • Prefer routes with the shortest BGP AS-Path length irrespective of the source of the route advertisements. In multi-hub environments, in the event of a remote AsPath tie, site-to-site connections will win.

  • Prefer routes from local virtual hub connections over routes learned from remote virtual hub.

  • If there are routes from both ExpressRoute and Site-to-site VPN connections:

    • If all the routes are local to the virtual hub, the routes from ExpressRoute connections will be chosen.

    • If all the routes are through remote virtual hubs, the routes from Site-to-site VPN connections will be chosen.


Top Tips:


  • Multiple virtual hubs in a Virtual WAN?

    • A virtual hub uses the algorithm above as mention, and then advertises them to the other virtual hubs in the virtual WAN.

  • If, for a select set of destination routes, the ExpressRoute goes down, other connections will be preferred. Once the ExpressRoute is restored, to ensure the routes don't continue to prefer other connections, ensure that the ASPath is longer for the other connections


Thoughts:


Really, in comes down to what tunnel you want to prioritise your traffic to go down. It is really useful when multiple tunnels have the same destination prefixes, especially in active/standby environments using the same IP ranges.


Again, useful if you have a VPN and Express Route coexistence, with one a backup to another.


To prefer remote routes over local routes on a virtual hub, set its hub routing preference to AS Path and increase the AS Path length of the local routes.


Infrastructure as Code:


In the interest of all things automation, I thought it would be most beneficial to showcase the setting that controls what has been discussed in this whole blog. So, with support from Salt Bae, here is a sprinkling of Terraform and Bicep for this, note the setting in bold.



Terraform:

resource "azurerm_virtual_hub" "example" {
  name                		= "example-virtualhub"
  resource_group_name 		= azurerm_resource_group.example.name
  location            		= azurerm_resource_group.example.location
  virtual_wan_id      		= azurerm_virtual_wan.example.id
  address_prefix      		= "10.0.0.0/23"
  hub_routing_preference 	= "ExpressRoute" or "ASPath" or "VpnGateway"
}

Bicep:

resource symbolicname 'Microsoft.Network/virtualHubs@2023-11-01' = {
  name: 'string'
  location: 'string'
  tags: {
    tagName1: 'tagValue1'
    tagName2: 'tagValue2'
  }
  properties: {
    addressPrefix: 'string'
    allowBranchToBranchTraffic: bool
    azureFirewall: {
      id: 'string'
    }
    expressRouteGateway: {
      id: 'string'
    }
    hubRoutingPreference: 'ExpressRoute' or 'ASPath' or 'VpnGateway'
.....
}

Obviously, there is a lot more involved with the Infrastructure as code, you may want to modulise it and there is also a boat load more settings to configure, but I'll leave you to figure that out!


{

 “SignOff”: {

“Cheers”: “THF”

}

}


 
 
 
Post: Blog2 Post

©2022 by TheHumanFirewallBlog. Proudly created with Wix.com

bottom of page