Using Azure Route Server for Dynamic Routing

road sign post under the cloudy sky
Photo by Frans van Heerden on Pexels.com

Azure Route Server is a service provided by Microsoft Azure that simplifies the process of dynamic routing for network virtual appliances (NVAs). NVAs are commonly used in virtual networks to perform tasks such as load balancing, network address translation (NAT), and virtual private network (VPN) connectivity.

In a traditional network setup, dynamic routing protocols such as Border Gateway Protocol (BGP) require manual configuration and maintenance of each individual NVA. This can become time-consuming and error-prone as the network scales. With Azure Route Server, NVAs can simply connect to the route server and exchange routing information automatically.

Azure Route Server supports both BGP and static routing protocols, allowing for flexible and scalable network configurations. In addition, it integrates with Azure Firewall and other Azure networking services to provide a complete solution for managing network traffic and security.

By using Azure Route Server, you can simplify your network infrastructure and reduce the administrative overhead of managing NVAs.

Topology

Configuration

Fortinet disponibilizes templates for the most common cases at https://github.com/fortinet/fortigate-terraform-deploy

BGP configuration:

config router bgp
    set as 65500
    set ebgp-multipath enable
    set additional-path enable
    set graceful-restart enable
    config neighbor
        edit "172.1.4.4"
            set capability-graceful-restart enable
            set ebgp-enforce-multihop enable
            set interface "port3"
            set remote-as 65515
            set keep-alive-timer 1
            set holdtime-timer 3
        next
        edit "172.1.4.5"
            set ebgp-enforce-multihop enable
            set interface "port3"
            set remote-as 65515
            set keep-alive-timer 1
            set holdtime-timer 3
        next
    end
    config redistribute "connected"
    end
    config redistribute "static"
        set status enable
    end
end

ARS:

ARS peers:

AVX configuration:

Disable Route Propagation

Azure Route Server will learn routes from the NVAs and propagate them to the virtual instances, which can cause loops if not properly configured. When a route loop occurs, network traffic may be sent in a continuous loop between two or more network devices, leading to degraded network performance or complete network failure.

To prevent route loops when using Azure Route Server with NVAs, it’s important to properly configure the network routing rules. One way to do this is to use an empty route table and attach it to the subnets of interest, as explained in the previous answer. This will prevent the NVAs from propagating routes to the virtual instances and causing loops.

Testing

Ping from the client VM across FortiGates and AVX fabric to VM running on the spoke vnet:

Failover

Failover happens extremely fast with only two pings lost:

Troubleshooting

Spoke VM route table:

Spoke route table:

Transit Gateway route table:

Transit Gateway eth3 route table:

FortiGate route table:

FortiGate port3 route table:

References

https://learn.microsoft.com/en-us/azure/route-server/overview

https://github.com/fortinet/fortigate-terraform-deploy

Leave a Reply