cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Avoid S2S VPN route propagation?

ThomasWinther
Copper Contributor

‎Jan 16 2023 03:37 AM - edited ‎Jan 16 2023 03:38 AM

‎Jan 16 2023 03:37 AM - edited ‎Jan 16 2023 03:38 AM

Avoid S2S VPN route propagation?

Hi
I'm curious if I can somehow avoid remote S2S subnets to be propagated as routes to all peered or VPN connected vnets in Azure, and even other S2S connections.


Is this where the "UsePolicyBasedTrafficSelectors" + "UseCustomTrafficSelectors" come into place with the connection? And are the above properties linked together?

 

I assume "UsePolicyBasedTrafficSelectors" VPN without any BGP setup, will require UDRs pointing to the GW for the subnets in need of connecting through VPN?

 

/Thomas

 

1,209 Views
0 Likes
3 Replies
Reply
3 Replies
tommykneetz

‎Jan 17 2023 02:28 AM

‎Jan 17 2023 02:28 AM

Re: Avoid S2S VPN route propagation?

@ThomasWinther 

 

Hi - when you have an hub and spoke network in place then you might also have udr's in use at each of your spokes... with hin that udr you can disable route propagation:

tommykneetz_0-1673951209154.png

with one route

tommykneetz_1-1673951241110.png

 

With s2s to azure vpn gateway ist not possible I believe.. you couldt terminate you s2s at your nva for example fortigate. here you can have policies per S2S connection

 

 

1 Like
Reply
ThomasWinther

‎Jan 17 2023 01:14 PM

‎Jan 17 2023 01:14 PM

Re: Avoid S2S VPN route propagation?

@tommykneetz  - thanks for the answer!

I've read about the disable option for route propagation on subnets. It doesn't seem to scale... I would have to do that in every subnet where I would filter out the routes, and worse - it would filter out all gateway routes, right?

 

So I guess it leaves me with either doing some NAT'ing on the VPN connection to avoid the overlap, or to use a NVA, as you also suggest, to have more control of the route injection/propagation.

 

/Thomas

0 Likes
Reply
tommykneetz

‎Jan 17 2023 11:15 PM

‎Jan 17 2023 11:15 PM

Re: Avoid S2S VPN route propagation?

if you want more scale and more automation than azure virtual wan is your service :)
0 Likes
Reply