Grant the ability to add and advertise static routes from an Express Route gateway
We have a scenario where we would like to use an NVA as a gateway in between both our on premise and Express Route connected VNETs and a new VNET that is not directly peered with the Express Route gateway VNET.
On Premise/Peered VNETS <----> ExprRt VNET<----> NVA VNET<---->NEW VNET
Since the NEW VNET is not peered with the ExprRT VNET, the address space is not advertised down the express route to the on premise environment. We would like the ability to both add and advertise static routes from the express route gateway or via a UDR attached to the express route gateway subnet. This would allow us to selectively add NVAs as gateway/routing points for our sensitive workloads.
Rather than using a UDR to remove the route table entries from a peered VNET's subnet, we would like to see a more traditional segmentation approach. This proposed model should allow for that. This proposed traditional segmentation approach can be leverage for highly regulated environments like DMZs, PCI/CDE, NERC, etc. From the perspective of compliance, this should be far easier for auditory and QSA staff to consume. This model also has the added benefit of being familiar territory for our existing infra Network Engineering teams, lessening the time/impact of cloud adoption for sensitive workloads.
Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature
Any update on this one?
This would be an excellent feature to ensure routing for "private" networks within NVAs is routable over the Express Route. Azure only advertises vNet ranges into BGP which are maintained / created within Azure, so a private network which only exists within the NVA environment (invisible to Azure) cannot route over the Express Route. To give an example, imagine a F5 NVA with a private network for VIP ranges. The VIP network would only exist within the F5 NVA - attempting to attach over 100 NICs to a Virtual Machine which sits on an Azure "aware" vNet is not practical (and probably not within limits) hence why the need for the "private" network.
yes please for this feature. We have a requirement where we want to partially migrate a subnet range between a VPN and our Express rt..
thaks in advance
I would like the same, or even better: an option tho enable a default route from ERC to the VNG. This could be set on the Connection between the ERC and the VNG, so that all unknown subnets are forwarded from the ERC to the VNG, The VNG default to the SubnetGateway UDR where the routing can be handled.
On the MPLS you can have the default route configured to point to the Azure Edge router IP's.