Forum Discussion

ThomasWinther's avatar
ThomasWinther
Copper Contributor
Feb 20, 2024

Understanding HUB vnet route tables relation

Hi there

 

Please help me understand the relation/usage between/of the different route tables in a Hub vnet.
Let's say I have a Hub vnet with ExpressRoute GWs for on-prem connectivity, and VPN GWs for Vnet-Vnet VPN connections to other HUBs. Spokes are peered to the Hub.

The ER GW holds a route table.

The VPN GW. holds its route table.
And the GatewaySubnet holds a route table.

I can view the ER GW Private Peering route table.
I can see the BGP Peers/Routes in the VPN virtual gateway.
But in the hub I cannot really see the effective GatewaySubnet route table.

(I know I can by deploying a VM in a subnet in the hub)

 

When exactly is the GatewaySubnet route table consulted/used? In which flows?

Please elaborate on the GatewaySubnet vs. ER GW vs. VPN GW route tables and their exhange of routes or lack of.

 

Thanks in advance!

 

/Thomas

1 Reply

  • Kidd_Ip's avatar
    Kidd_Ip
    MVP
    Sep 29, 2025

    Here you are: 

     

    Key Route Tables in a Hub VNet

    1. GatewaySubnet Route Table
    • Purpose: This is where Azure injects system routes for the virtual network gateway (ExpressRoute or VPN).
    • Usage: It’s consulted when traffic enters or exits the gateway:
      • When traffic from on-prem via ExpressRoute enters Azure.
      • When traffic from a spoke VNet goes out via VPN or ExpressRoute.
    • Visibility: You can't directly view the effective route table of the GatewaySubnet unless you deploy a VM in the Hub VNet (as you noted). This is because GatewaySubnet is reserved for gateway services and doesn’t support NSGs or UDRs.
    1. ExpressRoute Gateway Route Table
    • Purpose: Holds routes learned via BGP from on-premises through ExpressRoute.
    • Usage: These routes are propagated to peered VNets (spokes) if “Use remote gateways” is enabled in the peering settings.
    • Visibility: You can view these via the ExpressRoute connection’s private peering route table.
    1. VPN Gateway Route Table
    • Purpose: Holds BGP-learned routes from other VPN gateways (e.g., other hubs or on-prem).
    • Usage: Used for VNet-to-VNet VPN connections and for propagating routes to connected VNets.
    • Visibility: You can view BGP peers and learned routes in the VPN Gateway blade.

     

    Route Exchange and Propagation

    • Between Gateways: ExpressRoute and VPN gateways do not automatically exchange routes. If you want connectivity between on-prem via ER and remote VNets via VPN, you’ll need to use Azure Route Server or custom routing.
    • To Spokes:
      • Spokes can receive routes from the Hub’s gateways only if peering is configured with:
        • “Use remote gateway” (on the spoke side)
        • “Allow gateway transit” (on the hub side)
    • Within Hub:
      • The GatewaySubnet route table is used internally by Azure to route traffic to/from the gateway VMs.
      • You can’t override it with UDRs, but you can influence routing in other subnets of the Hub VNet using custom route tables.

     

    How to Inspect GatewaySubnet Routes

     

    • Deploy a VM in another subnet in the Hub VNet.
    • Use Get-AzEffectiveRouteTable (PowerShell) or Azure portal to inspect effective routes.
    • This will show you what routes are being propagated from the gateway.

Resources