Forum Discussion

ThomasWinther's avatar
ThomasWinther
Copper Contributor
Feb 20, 2024

Understanding HUB vnet route tables relation

Hi there   Please help me understand the relation/usage between/of the different route tables in a Hub vnet. Let's say I have a Hub vnet with ExpressRoute GWs for on-prem connectivity, and VPN GWs...
Kidd_Ip's avatar
Kidd_Ip
MVP
Sep 29, 2025

Here you are: 

 

Key Route Tables in a Hub VNet

  1. GatewaySubnet Route Table
  • Purpose: This is where Azure injects system routes for the virtual network gateway (ExpressRoute or VPN).
  • Usage: It’s consulted when traffic enters or exits the gateway:
    • When traffic from on-prem via ExpressRoute enters Azure.
    • When traffic from a spoke VNet goes out via VPN or ExpressRoute.
  • Visibility: You can't directly view the effective route table of the GatewaySubnet unless you deploy a VM in the Hub VNet (as you noted). This is because GatewaySubnet is reserved for gateway services and doesn’t support NSGs or UDRs.
  1. ExpressRoute Gateway Route Table
  • Purpose: Holds routes learned via BGP from on-premises through ExpressRoute.
  • Usage: These routes are propagated to peered VNets (spokes) if “Use remote gateways” is enabled in the peering settings.
  • Visibility: You can view these via the ExpressRoute connection’s private peering route table.
  1. VPN Gateway Route Table
  • Purpose: Holds BGP-learned routes from other VPN gateways (e.g., other hubs or on-prem).
  • Usage: Used for VNet-to-VNet VPN connections and for propagating routes to connected VNets.
  • Visibility: You can view BGP peers and learned routes in the VPN Gateway blade.

 

Route Exchange and Propagation

  • Between Gateways: ExpressRoute and VPN gateways do not automatically exchange routes. If you want connectivity between on-prem via ER and remote VNets via VPN, you’ll need to use Azure Route Server or custom routing.
  • To Spokes:
    • Spokes can receive routes from the Hub’s gateways only if peering is configured with:
      • “Use remote gateway” (on the spoke side)
      • “Allow gateway transit” (on the hub side)
  • Within Hub:
    • The GatewaySubnet route table is used internally by Azure to route traffic to/from the gateway VMs.
    • You can’t override it with UDRs, but you can influence routing in other subnets of the Hub VNet using custom route tables.

 

How to Inspect GatewaySubnet Routes

 

  • Deploy a VM in another subnet in the Hub VNet.
  • Use Get-AzEffectiveRouteTable (PowerShell) or Azure portal to inspect effective routes.
  • This will show you what routes are being propagated from the gateway.

Resources