Implementing Route Summarization in Azure VMware Solution
Published Sep 24 2024 12:48 PM 1,017 Views
Microsoft

What is Route Summarization?

Route summarization, also known as route aggregation, is a technique used in networking to combine multiple routes into a single, summarized route. This helps reduce the size of routing tables and simplifies the routing process.

 

 

 

Why Use Route Summarization in Azure VMware Solution?

Route summarization for Azure VMware Solution (AVS) is essential in the following scenarios:

  1. Route Tables with a 400 UDR Route Limitation: If you need to direct AVS workload segments through a Network Virtual Appliance (NVA) like Azure Firewall or a third-party firewall, you must create a User-Defined Route (UDR) for each AVS segment individually. This can quickly become cumbersome if your AVS environment has over 400 segments, as there is a 400 UDR route limitation per Route Table.

  2. ExpressRoute Gateway Approaching the 1,000 Route Limit: The ExpressRoute Gateway has a limit of 1,000 routes it can learn. This includes VNet address spaces directly connected to your hub where the ExpressRoute Gateway resides, as well as AVS segments. If your gateway is nearing this limit, route summarization becomes crucial.

 

 

Route Summarization in NSX

In AVS, NSX provides network virtualization to create and manage virtual networks and security. Additionally, you can set up route summarization directly within NSX. NSX consists of two gateway routers: a Tier-1 and a Tier-0. The Tier-0 gateway connects to external networks and can summarize routes before advertising them to the physical network, thereby propagating the summarized routes back to Azure and on-premises. However, since Azure VMware Solution is a managed service, customers do not have Read/Write NSX permissions to modify configurations on the Tier-0 gateway. Therefore, any route summarization must be performed at the Tier-1 gateway level.

 

If you have contiguous Workload Segments connected to your NSX Tier-1 gateway, summarization becomes more straightforward. Otherwise, ensure that all summary routes comprehensively cover your Workload Segments to avoid any segments from losing connectivity. To enable route summarization, we need to suppress AVS from advertising specific routes and only advertise the summarized route. Therefore, it’s crucial that all summary routes cover all workload segments to prevent any loss of connectivity.

 

Note: When using the Tier-1 gateway for summarization, only Workload Segments can be summarized; the AVS /22 Management address cannot be summarized. However, with the Virtual WAN Route Maps feature (still in Public Preview at the time of this writing), you will be able to summarize both the /22 Management address block and Workload Segments. Once the Virtual WAN Route Maps feature becomes generally available, I will explore this topic further in a future blog post.

 

 

 

Scenario Overview

Using the topology illustrated below, I will guide you through the step-by-step process of deploying summarization from the NSX T1 gateway. In my scenario, I have a Virtual WAN Hub deployed, which includes an ExpressRoute Gateway. This gateway in the Hub-VNet connects to both the Azure VMware Solution (AVS) and On-Premises environments. Additionally, the Hub has a VNet peering to a Spoke VNet. There is also a Global Reach connection between AVS and On-Prem, ensuring connectivity between the two.

 

Note: While my example utilizes VWAN, the summarization steps and behavior remain consistent with those of a traditional hub-and-spoke topology.

 

In AVS, there are four workload segments. Each local segment in NSX is configured as a /24 subnet and is connected to the same Tier-1 gateway.

 

Segment 1: 192.168.100.0/24
Segment 2: 192.168.101.0/24
Segment 3: 192.168.102.0/24
Segment 4: 192.168.103.0/24

 

The goal is to stop advertising these four specific routes to both Azure and on-premises networks. Instead, we’ll only advertise the summary route 192.168.100.0/22, which covers all four segments.

jasonmedina_0-1726686921563.png

 

 

Note: Route Summarization should not contain networks that are extended using HCX.

 

 

 

Before configuring Route Summarization

As indicated by the blue arrows, the four routes listed below are being advertised from AVS to the VWAN Hub ExpressRoute Gateway, which currently has a 1,000 route limit. These routes are propagated to both the VWAN Hub and the Spoke VNet. Additionally, the four routes are advertised to on-premises via Global Reach.

jasonmedina_1-1726686985370.png

 

 

 

VWAN Hub Effective Routes before summarization

As highlighted below, I am currently learning the /24 routes on the VWAN Effective Routes from AVS. 

jasonmedina_3-1726628185910.png

 

 

 

Summarization Steps

 

1. Log into NSX and navigate to Networking > Tier-1 Gateways. Locate your Tier-1 Gateway where all your workload segments are connected. Click on the three dots (circled in red) and select Edit.

jasonmedina_2-1726627135844.png

 

 

2. Scroll down and expand the Route Advertisement section.

    Click the icon next to Set Route Advertisement Rules (circled in red).

jasonmedina_3-1726627167986.png

 

 

3. Click Add Route Advertisement Rule
   Create a name for your summary route. In my example, I used “Summary-Route.”
   Add the summary route you want to advertise under Subnets. I used 192.168.100.0/22. Make sure to hit enter after typing in your summary route so it appears circled in blue as shown in the diagram.
  Click Add then click Save.

jasonmedina_4-1726627236101.png

 

 

 

4. Under the T1 Route Advertisement section, disable All Connected Segments & Service Ports as illustrated in the diagram below (circled in red).

 

IMPORTANT: Ensure all your connected segments are included in your summary route(s). Any connected segment not covered by a summary route will lose connectivity. For example, a summary route of 192.168.100.0/22 covers segments 192.168.100.0/24 to 192.168.103.0/24. If an additional segment is configured as 192.168.104.0/24, it would not be covered by the 192.168.100.0/22 summary route. Since specific workload segments are suppressed and only summary routes are advertised, the 192.168.104.0/24 segment would lose connectivity unless a summary route is created for it.

 

jasonmedina_5-1726627316824.png

 

 

5. Click save

jasonmedina_6-1726627366482.png

 

 

6. Ensure that you are now receiving the summary route(s) in Azure or from your on-premises environment if you are using Global Reach. As shown in the diagram below, NSX T1 in AVS will exclusively advertise the summarized route 192.168.100.0/22. This route will be propagated to both Azure and on-premises environments via Global Reach

 

jasonmedina_2-1726687016341.png

 

 

 

 

VWAN Hub Effective Routes after summarization

As highlighted below, I am now learning the /22 summarized route on the VWAN Effective Routes from AVS.

jasonmedina_7-1726627417232.png

 

Co-Authors
Version history
Last update:
‎Sep 23 2024 11:29 AM
Updated by: