Share via

Virtual Network having Azure Bastion peered with vWAN Hub

Raviraj Velankar 136 Reputation points
2025-01-31T18:24:13.0966667+00:00

Following is the Scenario.

Would like to connect Spoke virtual network which has Azure Bastion resource to Azure Virtual WAN. As per Bastion FAQ, we need to disable default route propagation at 'virtual network connection' level when we do virtual network peering to vWAN Hub which has routing intent configured.

If there are other resources such as Virtual Machine, AKS in that Spoke virtual network and if we disable default route propagation then how Internet access will work or if we need to route the Internet bound traffic from VM or AKS to vWAN SaaS firewall then whether it is feasible to route when 'default route' propagation is disabled

Azure Virtual WAN
Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
242 questions
0 comments
Accepted answer
  1. Chiugo Okpala 75 Reputation points MVP
    2025-01-31T18:58:34.2+00:00

    @Anonymous When you disable default route propagation in a spoke virtual network that has Azure Bastion, it means that the spoke will not automatically use the default route from the hub for Internet-bound traffic. Instead, you need to manually configure the routes in the spoke's route table.

    Here's how you can handle Internet access for resources like Virtual Machines (VMs) and Azure Kubernetes Service (AKS) in the spoke:

    Disable Default Route Propagation: Ensure that the default route propagation is disabled in the spoke's route table.

    Add Custom Routes: Manually add custom routes in the spoke's route table to direct Internet-bound traffic to the appropriate next hop. For example, you can add a route with the destination 0.0.0.0/0 and the next hop as the Azure Virtual WAN hub's firewall or Network Virtual Appliance (NVA).

    1. Configure Azure Firewall or NVA: Ensure that the Azure Firewall or NVA in the hub is configured to handle Internet-bound traffic. This might involve setting up appropriate firewall rules and routing policies.

    Verify Connectivity: Test the connectivity from the VMs and AKS in the spoke to ensure they can access the Internet through the configured routes and firewall/NVA.

    By following these steps, you can route Internet-bound traffic from your VMs and AKS in the spoke through the Azure Virtual WAN hub while still using Azure Bastion for secure access.

    See:

    https://learn.microsoft.com/en-us/answers/questions/1085535/in-vwan-how-do-i-completely-prevent-an-internal-vn

    https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-routing-policies

    https://learn.microsoft.com/en-us/answers/questions/1476560/cant-connect-after-adding-default-route

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Raviraj Velankar 136 Reputation points
    2025-02-01T03:29:57.48+00:00

    Thank you @Chiugo Okpala for clarification.

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.