Avoid S2S VPN route propagation?

Copper Contributor

Hi
I'm curious if I can somehow avoid remote S2S subnets to be propagated as routes to all peered or VPN connected vnets in Azure, and even other S2S connections.


Is this where the "UsePolicyBasedTrafficSelectors" + "UseCustomTrafficSelectors" come into place with the connection? And are the above properties linked together?

 

I assume "UsePolicyBasedTrafficSelectors" VPN without any BGP setup, will require UDRs pointing to the GW for the subnets in need of connecting through VPN?

 

/Thomas

 

3 Replies

@ThomasWinther 

 

Hi - when you have an hub and spoke network in place then you might also have udr's in use at each of your spokes... with hin that udr you can disable route propagation:

tommykneetz_0-1673951209154.png

with one route

tommykneetz_1-1673951241110.png

 

With s2s to azure vpn gateway ist not possible I believe.. you couldt terminate you s2s at your nva for example fortigate. here you can have policies per S2S connection

 

 

@tommykneetz  - thanks for the answer!

I've read about the disable option for route propagation on subnets. It doesn't seem to scale... I would have to do that in every subnet where I would filter out the routes, and worse - it would filter out all gateway routes, right?

 

So I guess it leaves me with either doing some NAT'ing on the VPN connection to avoid the overlap, or to use a NVA, as you also suggest, to have more control of the route injection/propagation.

 

/Thomas

if you want more scale and more automation than azure virtual wan is your service 🙂