Forum Discussion

ThomasWinther's avatar
ThomasWinther
Copper Contributor
Jan 16, 2023

Avoid S2S VPN route propagation?

Hi I'm curious if I can somehow avoid remote S2S subnets to be propagated as routes to all peered or VPN connected vnets in Azure, and even other S2S connections. Is this where the "UsePolicyBase...
tommykneetz's avatar
tommykneetz
Iron Contributor

ThomasWinther 

 

Hi - when you have an hub and spoke network in place then you might also have udr's in use at each of your spokes... with hin that udr you can disable route propagation:

with one route

 

With s2s to azure vpn gateway ist not possible I believe.. you couldt terminate you s2s at your nva for example fortigate. here you can have policies per S2S connection

 

 

ThomasWinther's avatar
ThomasWinther
Copper Contributor
Jan 17, 2023

tommykneetz  - thanks for the answer!

I've read about the disable option for route propagation on subnets. It doesn't seem to scale... I would have to do that in every subnet where I would filter out the routes, and worse - it would filter out all gateway routes, right?

 

So I guess it leaves me with either doing some NAT'ing on the VPN connection to avoid the overlap, or to use a NVA, as you also suggest, to have more control of the route injection/propagation.

 

/Thomas

  • tommykneetz's avatar
    tommykneetz
    Iron Contributor
    Jan 18, 2023
    if you want more scale and more automation than azure virtual wan is your service 🙂

Resources