Sign in Subscribe
azure

Azure Virtual WAN Route Map Tips: Allow specific routes and drop others

Phil Huang

4 min read
Azure Virtual WAN Route Map Tips: Allow specific routes and drop others
Photo By Phil Huang @ Xinyi Dist. Taipei, Taiwan

When designing route map rules within Azure Virtual WAN, in addition to selecting the connection type and choosing the inbound or outbound direction, you also need to write the actual route map rules.

Use Case 1: Only allow specific network prefix, drop other network prefix

I only want to allow the specific route prefix 10.102.33.0/24 and reject other prefix

Before

use-case-1-before

Apply Azure Route Map

phil-use-case-1

You need to write 2 rules in the same route-map rule (phil-use-case-1).

  1. only_allow_10.102.33.0_24
  2. deny_all
rule-1-only_allow_10.102.33.0_24
  • Due to the need to allow 10.102.33.0/24 to pass without being affected by the subsequent deny_all rule, we have chosen to use Terminate in next step to prevent the execution of the following rules.

According Azure Virtual WAN - Route Maps - Conditions and Limitations

Multiple rules are supported. If the first rule isn't matched, then the second rule is evaluated. Select Terminate in the Next step field to end the list of rules in the route-map. When no rule is matched, the default is to allow, not to deny.
  • Due to the lack of other actions that can allow specific routes, we use the method of summarizing routes itself to implement this rules
rule-2-deny_all
If a route-map is created without a match condition, all routes from the applied connection will be matched.

After

use-case-1-after
  • Regarding 10.102.33.0/24, since we applied the route map rules of phil-use-case-1, only this route remains.
  • Regarding 10.102.0.0/24, this subnet is the address of the Azure Virtual Hub. According to Azure Virtual WAN - Route Maps - Conditions and Limitations, it is not affected by the rules of the route map.
Route-maps won't be applied to the hub address space

Use Case 2: Only allow containe network prefixs, drop other network prefix

Before

use-case-2-before

Apply Route Map

phil-use-case-2

You need to write 2 rules in the same route-map rule (phil-use-case-2).

  1. only_allow_10.102.0.0_16
  2. deny_all
rule-1-only_allow_10.102.0.0_16
  • Just like the method of summarizing routes, if Match Condition > Criterion is set to Contains, then configure 10.102.0.0/16 to include the following:
    • 10.102.11.0/24
    • 10.102.22.0/24
    • 10.102.33.0/24
    • 10.102.44.0/24
  • Due to the need to allow 10.102.0.0/16 to pass without being affected by the subsequent deny_all rule, we have chosen to use Terminate in next step to prevent the execution of the following rules.

According Azure Virtual WAN - Route Maps - Conditions and Limitations

Multiple rules are supported. If the first rule isn't matched, then the second rule is evaluated. Select Terminate in the Next step field to end the list of rules in the route-map. When no rule is matched, the default is to allow, not to deny.
rule-2-deny_all
If a route-map is created without a match condition, all routes from the applied connection will be matched.

After

use-case-2-after
  • So this outbound rules for the connection will propagated 2 routes
    • Summarize route: 10.102.0.0/16
    • Virtula Hub route: 10.102.0.0/24
  • Regarding 10.102.0.0/24, this subnet is the address of the Azure Virtual Hub. According to Azure Virtual WAN - Route Maps - Conditions and Limitations, it is not affected by the rules of the route map.
Route-maps won't be applied to the hub address space