Closed ghost closed 6 years ago
TravisCragg-MSFT
commented
6 years ago @Enver-Adams the prefixes are advertised via BGP when Microsoft Peering is enabled, but you are correct, it is not clear how the traffic is routed, and an output of advertised routes does not show any MS services.
@cherylmc can you help clarify if additional routes are needed in this example?
cherylmc
commented
6 years ago @Enver-Adams - The PM for this feature will update this article. Thanks for calling this out!
cherylmc
commented
6 years ago TravisCragg-MSFT
commented
6 years ago @Enver-Adams We will now proceed to close this thread. If there are further questions regarding this matter, please tag me in your reply. We will gladly continue the discussion and we will reopen the issue.
ghost
commented
6 years ago @cherylmc Great thank you! Can you please provide and ETA for remediation? I am in the midst of a project and this detail would benefit us greatly.
cherylmc
commented
6 years ago He's targeting sometime in the next month. That being said, what specifically do you need for your project? Perhaps I can get an answer for your specific question sooner.
ghost
commented
6 years ago @cherylmc Really appreciate the support. I am going to make some assumptions could you please correct me if required. To support Microsoft Peering BGP route propagation over an IPSec VPN Tunnel: 1 - Am I correct in saying that static routes are required between the the non-peered AS routers? For example between the client side ER Gateway IP address and the IPSec VPN Gateway IP address. 2 - We have a requirement to not manually manage routes between non-peered AS routers. Am I correct in assuming the way the BGP routing relationship is created is using the ebgp-multihop command? If this is the case the non-peered routers i.e. ER GW clientside and IPSec VPN GW clientside will automatically exchange BGP routing info? 3 - If the above is true and supported on various Cisco or similarly compatible routers / FW's; how do we ensure the BGP routes are propagated over the IPSec VPN tunnel from the Azure end?
4- Given we have an Azure VPN GW and a Azure ER GW on the Azure end. How do we ensure the traffic traverses the IPSec VPN tunnel from Azure when it needs to travel down the Microsoft Peering circuit? I am assuming we can't use the eBGP-multi-hop command on that end. Do we use a UDR within the VNet with an NVA to perform the routing back on-premises?
Any information you can provide would be greatly appreciated.
Kind Regards,
Enver
Hello,
Thank you for the article; I have read it several times now and am still unsure how the IPSec Tunnel over ExpressRoute (Microsoft Peering) is able to route traffic destined for Microsoft Peering over the IPSec Tunnel?
I understand that you have enabled Microsoft Peering Route Filters for well defined BGP Communities / Office 365 services for example Exchange Online; this would by definition propagate those specific routes over the Microsoft Peering circuit and eventually publish routes onto the on-premises network (if allowed through via the on-premises router).
I just cannot see; when a client on the on-premises network trying consume an Exchange Online service which falls within that Route Filter is routed over the Private VPN? Do we require some static routes from the ExpressRoute VPN termination point to the IPSec VPN Tunnel termination point?
The IPSec VPN Tunnel in your example is only performing BGP Peering for a 10.0.0.0/24 and 10.2.0.0/24 private IP range networks. I cannot see how traffic destined for Microsoft Peering is pushed over the IPSec Tunnel?
Please advise.
Thanks,
Enver
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.