Route Distribution in Azure Virtual WAN

Route distribution is a fundamental concept in Azure Virtual WAN that governs how routes are propagated and made available across different branches of your virtual network. Understanding route distribution is key to ensuring proper connectivity and traffic flow within your complex network topology.

What is Route Distribution?

In Virtual WAN, route distribution refers to the mechanisms by which routing information is shared between different network components, such as:

Virtual Network Connections (VNETs) to Hubs
Site-to-Site VPN connections
ExpressRoute connections
Azure Firewall
Virtual Network Gateways

It ensures that each component knows how to reach the others, enabling seamless communication across your distributed environment.

Key Concepts of Route Distribution

1. Route Tables

Virtual WAN utilizes route tables to manage and store routing information. Each connection (VNet connection, VPN site connection, ExpressRoute circuit) is associated with a specific route table. This allows for granular control over which routes are learned and advertised.

2. Route Propagation

This is the process by which routes are advertised from one network component to another. Virtual WAN automatically propagates routes between connected components based on their configurations.

VNet to Hub: Routes from a VNet are propagated to the hub's routing infrastructure.
Hub to VNet: Routes learned by the hub (from other VNets, VPNs, or ExpressRoute) are propagated back to connected VNets.
Branch to Branch: Routes are distributed via the hub, allowing sites connected to the hub to communicate with each other.

3. Route Association

Route association determines which route table is used by a connection for its outbound traffic. When a packet leaves a VNet or a branch site, Virtual WAN looks at the route table associated with that connection to determine the next hop.

4. Route Learning

This is the process by which a connection learns routes from other connected components. For example, a VNet connection learns routes from the hub, enabling it to reach other connected VNets or branches.

Default Route Distribution Behavior

By default, Virtual WAN provides a simplified and automated route distribution experience:

All connected VNet address spaces are advertised to all VPN and ExpressRoute connections associated with the hub.
All connected VPN and ExpressRoute address spaces are advertised to all connected VNet address spaces.
Routes are propagated through the Virtual WAN hub.

Customizing Route Distribution

For more advanced scenarios, Virtual WAN allows for customization:

Static Routes: You can manually define static routes for specific destinations.
Route Filters: You can use route filters to control which routes are advertised to or learned from specific connections, especially for ExpressRoute and VPN connections.
Hub Routing Intent: In more complex deployments, you can define the routing intent for a hub, specifying how traffic should be routed (e.g., through Azure Firewall for inspection).

Important: Understanding the default propagation and how to customize it is crucial for troubleshooting connectivity issues and optimizing network performance.

Scenario Example: VNet-to-VNet Communication

Consider two VNets, VNetA and VNetB, connected to the same Virtual WAN hub. Route distribution ensures that:

VNetA's address space is advertised to the hub.
VNetB's address space is advertised to the hub.
The hub learns both address spaces.
The hub propagates VNetA's address space to VNetB.
The hub propagates VNetB's address space to VNetA.

As a result, VNetA can communicate with VNetB, and vice-versa, without explicit configuration of peering between the VNets.

Route Distribution with Azure Firewall

When Azure Firewall is deployed in a Virtual WAN hub, route distribution plays a critical role in directing traffic through the firewall for inspection. Routes for VNets and branch sites are often configured to be sent to the firewall, which then forwards them to their intended destinations after inspection. This requires careful configuration of route tables and associations to ensure traffic follows the desired path.

Conclusion

Route distribution in Azure Virtual WAN is a powerful mechanism that simplifies network management while providing flexibility. By understanding how routes are propagated, associated, and learned, you can design and maintain robust and secure network architectures in Azure.