Share via

Default route advertisement from on-prem to Azure VMware solution for internet connectivity

Sumit bnd 40 Reputation points
2025-05-09T02:44:33.9133333+00:00

We are looking to force default internet traffic from AVS to route through the on-prem environment. However, as mentioned, advertising the default route may impact traffic from Azure VNets as well.

Given that we already have Azure Virtual WAN implemented, we would like to understand where this traffic can be filtered or controlled to avoid unintended routing impacts on Azure VNet traffic.

Azure VMware Solution
Answer accepted by question author
  1. Mounika Reddy Anumandla 6,975 Reputation points Moderator
    2025-05-09T10:30:34.9933333+00:00

    Hi Sumit bnd,
    I understand you concern that to force default internet traffic from Azure VMware Solution (AVS) to route through your on-premises environment-while avoiding unintended routing impacts on other Azure VNet traffic-requires precise control over routing policies in Azure Virtual WAN. Because routing policies in Virtual WAN hubs are applied at the hub level, any default route (0.0.0.0/0) advertised for internet-bound traffic will affect all VNets and branches connected to that hub, not just AVS. This means that if you advertise a default route to force AVS internet traffic through on-premises, you risk impacting the default internet path for all other Azure VNets associated with that hub.

    https://free.blessedness.top/en-us/azure/virtual-wan/about-virtual-hub-routing

    Recommendations

    Custom Route Tables: You can use custom route tables and control propagation/association to manage which VNets or connections receive specific routes. By associating only, the AVS connection with a route table that has the default route pointing to your on-premises next hop,and ensuring other VNets are associated with a different route table, you can isolate the routing behavior.

    1.Use Custom Route Tables for Segmentation:

    • Create separate route tables in the Virtual WAN hub.
    • Associate the AVS connection with a route table that includes a default route (0.0.0.0/0) pointing to your on-premises environment (via ExpressRoute or VPN).
    • Associate other Azure VNets with a route table that does not include the default route, or that points their internet-bound traffic to Azure Firewall or the internet directly.

    2.Review Propagation Settings:

    • Ensure that route propagation from on-premises does not inadvertently advertise the default route to all VNets. Control which connections propagate and receive routes using the Virtual WAN portal.

    3.Test and Validate:

    • Use effective route table views to confirm that only the intended AVS connection receives the default route to on-premises, and other VNets maintain their desired internet routing path.
      To avoid unintended routing impacts on Azure VNet traffic when forcing AVS internet traffic through on-premises, leverage custom route tables within Azure Virtual WAN. Carefully associate and propagate routes so that only AVS receives the default route to on-premises, while other VNets retain their standard internet routing path. Routing policies at the hub level are broad, but custom route tables provide the granularity needed for this scenario.
      https://free.blessedness.top/en-us/azure/virtual-wan/how-to-routing-policies

    Additional ref: https://www.youtube.com/watch?v=m-GmkMFZ5WA&t=4s

    Hope it helps!

    Let me know if you have any further queries!

    If the information is helpful, please click "upvote" to let us know!

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.