In a Policy-based VPN, what happens to the Route Tables?

%3CLINGO-SUB%20id%3D%22lingo-sub-1588761%22%20slang%3D%22en-US%22%3EIn%20a%20Policy-based%20VPN%2C%20what%20happens%20to%20the%20Route%20Tables%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1588761%22%20slang%3D%22en-US%22%3E%3CP%3EGreetings%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20having%20quite%20some%20issues%20trying%20to%20perfectly%20understand%20how%20Policy-based%20and%20Route-based%20VPNs%20work.%3CBR%20%2F%3E%3CBR%20%2F%3EAs%20we%20can%20se%20in%20the%20Azure%20documentation%2C%20for%20Policy-based%20VPNs%2C%20its%20important%20to%20keep%20the%20Traffic%20Selectors%20in%20sync%20in%20the%20Azure%20VPN%20and%20in%20the%20differents%20%22On%20Prem%20VPN%20endpoints%22.%20Any%20changes%20to%20the%20architecture%20must%20be%20reflected%20in%20the%20Traffic%20Selectors%20of%20both%20ends%20of%20any%20connection%20in%20order%20to%20keep%20the%20traffic%20flowing.%3CBR%20%2F%3E%3CBR%20%2F%3EBut%20in%20the%20case%20of%20Route-based%20VPNs%2C%20what%20we%20do%20instead%20is%20we%20put%20a%20big%20star%20%22*%22%20in%20the%20Traffic%20Selectors%20of%20both%20ends%20the%20the%20connections%2C%20so%20there%20is%20no%20need%20to%20change%20them%20no%20more%2C%20even%20if%20the%20architecture%20changes%2C%20and%20we%20rely%20on%20the%20Route%20Tables%20the%20%22configuration%22%20of%20the%20VPN.%20These%20Route%20Tables%20will%20now%20be%20in%20charge%20of%20routing%20the%20traffic%20in%26amp%3Bout%20our%20VNet1.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22PolicyBasedVPNRouteBasedVPN.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F212397i027B56EE3D65299A%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22PolicyBasedVPNRouteBasedVPN.png%22%20alt%3D%22PolicyBasedVPNRouteBasedVPN.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3ESo%20far%2C%20so%20good.%20But%20now%2C%20questions%20start%20to%20pop.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3EWhat%20happens%20to%20the%20Route%20Tables%20in%20the%20Policy-based%20VPN's%3F%20Is%20there%20any%20need%20to%20update%20them%20if%20there%20are%20any%20changes%20in%20the%20architecture%20of%20any%20side%20of%20the%20VPN%3F%3C%2FLI%3E%3CLI%3EHow%20do%20we%20know%20where%20to%20route%20a%20package%20through%20a%20VPN%20if%20the%20only%20place%20where%20the%20routes%20are%20stored%20is%20in%20the%20Route%20Tables%3F%20Is%20a%20new%20line%20is%20added%20automatically%20to%20the%20Route%20Table%2C%20transparently%20to%20us%2C%20so%20the%20traffic%20is%20properly%20routed%20via%20the%20VPN%20link%3F%20Or%20in%20case%20a%20package%20doesn't%20find%20a%20destination%20in%20the%20Route%20Tables%2C%20the%20package%20is%20sent%20to%20check%20Traffic%20Selectors%20that%20might%20be%20declared%20in%20the%20Subnet%3F%3F%3C%2FLI%3E%3C%2FUL%3E%3CP%3EThank%20you%20in%20advance.%20This%20questions%20have%20been%20troubling%20my%20mind%20for%20a%20few%20days%20already%20and%20I'm%20having%20quite%20some%20trouble%20to%20find%20the%20answers%20online.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYours%20sincerely%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJorge%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1588761%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Occasional Visitor

Greetings,

 

I'm having quite some issues trying to perfectly understand how Policy-based and Route-based VPNs work.

As we can se in the Azure documentation, for Policy-based VPNs, its important to keep the Traffic Selectors in sync in the Azure VPN and in the differents "On Prem VPN endpoints". Any changes to the architecture must be reflected in the Traffic Selectors of both ends of any connection in order to keep the traffic flowing.

But in the case of Route-based VPNs, what we do instead is we put a big star "*" in the Traffic Selectors of both ends the the connections, so there is no need to change them no more, even if the architecture changes, and we rely on the Route Tables the "configuration" of the VPN. These Route Tables will now be in charge of routing the traffic in&out our VNet1.

PolicyBasedVPNRouteBasedVPN.png


So far, so good. But now, questions start to pop.

 

  • What happens to the Route Tables in the Policy-based VPN's? Is there any need to update them if there are any changes in the architecture of any side of the VPN?
  • How do we know where to route a package through a VPN if the only place where the routes are stored is in the Route Tables? Is a new line is added automatically to the Route Table, transparently to us, so the traffic is properly routed via the VPN link? Or in case a package doesn't find a destination in the Route Tables, the package is sent to check Traffic Selectors that might be declared in the Subnet??

Thank you in advance. This questions have been troubling my mind for a few days already and I'm having quite some trouble to find the answers online.

 

Yours sincerely,

 

Jorge

0 Replies