ExpressRoute Not Advertising VNet CIDRs to AWS

Question

ExpressRoute Not Advertising VNet CIDRs to AWS

Ahmet Yavuz Demir 0

Hello Azure Support Team,

I have an ExpressRoute circuit named btcturk-global-circuit in the West Europe location (Resource Group: Pending). It is linked via Azure Private Peering to an AWS Direct Connect VIF. The BGP session is up and stable, and from the Azure side, I can see that AWS is advertising 172.25.0.0/16.

However, on the AWS side, they never learn my Azure VNet CIDR (10.0.0.0/16). The AWS route table shows no propagated routes from Azure. Our ExpressRoute gateway (btcturk-vnet-gw) is in the same VNet (PendingVNet) that has the address space 10.0.0.0/16, with subnets defined (10.0.0.0/24, 10.0.1.0/24, etc.).

I suspect I need to enable Global Reach or otherwise configure the ExpressRoute circuit to advertise the Azure VNet CIDRs back to AWS. Could you please:

Confirm which steps/settings are required so that 10.0.0.0/16 is exported to AWS?
Verify if there are any route filters or additional ExpressRoute configurations I must enable to ensure that the VNet CIDRs propagate over the private peering to AWS?
Confirm there are no region constraints or SKU limitations that would prevent route advertisement from this West Europe gateway?

I appreciate your assistance troubleshooting why 10.0.0.0/16 is not seen on AWS. Please let me know what else I can provide or configure on my end to resolve this routing issue.

Thank you and kind regards,
Ahmet Yavuz Demir

Sai Prasanna Sinde 4,335 Reputation points Microsoft External Staff

2025-02-19T07:50:53.8666667+00:00

Hi @Anonymous

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

Please try to double check the Azure Private Peering configuration for your ExpressRoute circuit. Make sure the parameters (VLAN ID, Peer ASN, Primary and Secondary Subnets & BGP Session Status) are correctly configured. Please refer the document.

ExpressRoute circuits have a maximum prefix limit that can be advertised. For Standard SKU circuits, this limit is 4,000 IPv4 prefixes, and for Premium SKU circuits, it's 10,000. Exceeding this limit can prevent route advertisements. Make sure the total number of prefixes advertised from your Azure VNet and on-premises network (AWS) doesn't exceed this limit.

Global Reach is a feature of ExpressRoute that allows you to connect your on-premises networks through their respective ExpressRoute circuits. It essentially extends your on-premises networks into Microsoft's global network. In your environment, if you have 2 different locations With ExpressRoute Global Reach, you can link ExpressRoute circuits to create a private network between your on-premises networks.

Note: To enable ExpressRoute Global Reach between different geopolitical regions, your circuits must be Premium SKU.

Reference: Global reach availability

ExpressRoute virtual network gateways come in various SKUs, each with different performance characteristics. The SKU you choose affects the bandwidth, throughput, and the number of routes that the gateway can handle. Make sure your gateway SKU ("btcturk-vnet-gw") is appropriate for your network traffic and the number of prefixes you're advertising.

If you have any VPN connections configured alongside ExpressRoute, investigate the possibility of asymmetric routing and make sure traffic flows consistently through ExpressRoute.

Utilize the Azure Connectivity Toolkit (AzureCT), a PowerShell module, to perform network diagnostics and performance tests between your on-premises network and Azure. This tool can help pinpoint potential latency issues.

Use tools like ping and traceroute to test basic connectivity between your Azure VNet and AWS resources. This helps isolate potential network connectivity problems.

Kindly let us know if the above helps or you need further assistance on this issue.
Venkat V 775 Reputation points Microsoft External Staff

2025-02-20T06:09:04.4+00:00
Hi @Ahmet Yavuz Demir

You can verify the below troubleshooting steps if AWS is not receiving 10.0.0/16 from Azure.

Verify Route Advertisement from Azure: Go to Azure Portal → ExpressRoute Circuit → Peerings → Azure Private Peering → View Route Table Summary and check if 10.0.0.0/16 is listed.Follow the Verify ExpressRoute connectivity for more details.

Check ExpressRoute Gateway Configuration: Navigate to Virtual Network Gateways → btcturk-vnet-gw → Overview, ensure it is linked to PendingVNet, and confirm BGP is enabled under Configuration. Refer the link

Manually Advertise Missing Routes: If 10.0.0.0/16 is not advertised, update the Advertised Prefixes in the ExpressRoute Gateway Configuration and save changes.

Verify ExpressRoute SKU: In Azure Portal → ExpressRoute Circuit → Overview, check if the SKU is Premium (needed for cross-region connectivity); upgrade if necessary.

Enable Global Reach (If Needed): If using multiple ExpressRoute circuits, enable Global Reach under ExpressRoute Circuit → Peerings → Azure Private Peering and save changes.

Verify AWS Route Table & Policies: In AWS Console → Direct Connect → Virtual Interface → Route Tables, check if 10.0.0.0/16 is learned; ensure route propagation is enabled and no AWS route filters block it.

Reference: https://learn.microsoft.com/en-us/azure/expressroute/expressroute-howto-set-global-reach

2 answers

Your answer

Venkat V 775 Reputation points Microsoft External Staff

2025-02-20T06:09:04.4+00:00

Hi @Ahmet Yavuz Demir

You can verify the below troubleshooting steps if AWS is not receiving 10.0.0/16 from Azure.

Verify Route Advertisement from Azure: Go to Azure Portal → ExpressRoute Circuit → Peerings → Azure Private Peering → View Route Table Summary and check if 10.0.0.0/16 is listed.Follow the Verify ExpressRoute connectivity for more details.

Check ExpressRoute Gateway Configuration: Navigate to Virtual Network Gateways → btcturk-vnet-gw → Overview, ensure it is linked to PendingVNet, and confirm BGP is enabled under Configuration. Refer the link

Manually Advertise Missing Routes: If 10.0.0.0/16 is not advertised, update the Advertised Prefixes in the ExpressRoute Gateway Configuration and save changes.

Verify ExpressRoute SKU: In Azure Portal → ExpressRoute Circuit → Overview, check if the SKU is Premium (needed for cross-region connectivity); upgrade if necessary.

Enable Global Reach (If Needed): If using multiple ExpressRoute circuits, enable Global Reach under ExpressRoute Circuit → Peerings → Azure Private Peering and save changes.

Verify AWS Route Table & Policies: In AWS Console → Direct Connect → Virtual Interface → Route Tables, check if 10.0.0.0/16 is learned; ensure route propagation is enabled and no AWS route filters block it.

Reference: https://learn.microsoft.com/en-us/azure/expressroute/expressroute-howto-set-global-reach

Answer 1

Hi @Ahmet Yavuz Demir,

Based on the provided information, I would like to share a few information with you.

Your configuration on Azure side looks correct.
You don't have any route filter option in Azure for Express route private peering, so you don't have to configure this.
I also understand you have only one VNET with one address space. So, it will not hit the maximum prefix limit on Azure side.
There might be possibility of having any route filter on AWS side which is restricting it to learn the route from Azure.
As you have already shared the prefixes, is it possible to share below screenshot.
Go to EXPRESSROUTE--->Peerings--->Azure Private --->View route table summary
There is no option in the portal/Az cli to get the advertised routes from ER but if you see any route learnt from different AS than AWS , it should be advertised to that ideally.

Please let me know if this helps.

Answer 2

@Ahmet Yavuz Demir ,

Greetings.

I see Sai Prasanna Sinde and Vallepu Venkateswarlu has shared their observations.

Ideally,

No additional step is required by the customer to make the Circuit advertise the routes from the Gateway's VNET it is connected to
It should be automatic

As next steps,

Can you verify if the MSEE (Circuit) is advertising the routes from Azure end?
You can use the Get-AzExpressRouteCircuitRouteTable command
- You can also use Get-AzExpressRouteCircuitRouteTableSummary command for BGP neighbor information
While the above command fetches the information from ExpressRoute Circuit, you should also check for the ExR Gateway - whether or not it is advertising the routes from the VNET
You can use Get-AzVirtualNetworkGatewayAdvertisedRoute command for this

Can you please share the results for Get-AzExpressRouteCircuitRouteTable and Get-AzVirtualNetworkGatewayAdvertisedRoute ?

Additionally, you can use Get-AzVirtualNetworkGatewayLearnedRoute to check if the Gateway learns the route from AWS or not as well.

Cheers,

Kapil

Share via

ExpressRoute Not Advertising VNet CIDRs to AWS

2 answers

Your answer