Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MLZ & Tier3: Disable route propagation on spoke route tables #928

Closed
jamasten opened this issue Mar 9, 2024 · 0 comments · Fixed by #932
Closed

MLZ & Tier3: Disable route propagation on spoke route tables #928

jamasten opened this issue Mar 9, 2024 · 0 comments · Fixed by #932
Assignees
@jamasten
Labels
bicep Related to Bicep code

Comments

@jamasten
Copy link
Contributor

jamasten commented Mar 9, 2024

Change the routing tables applied to the spoke subnets to not propagate gateway routes. This prevents inadvertent routing that bypasses the firewall when a Virtual Network Gateway is added for a S2S VPN or Express Route. For example, when a S2S VPN connection is created and BGP advertisement used, BGP routes are by default automatically advertised to spoke subnets. Consequently, traffic from the spokes automatically bypasses the firewall, goes to the GatewaySubnet, and ends up on premises.
@jamasten jamasten added the bicep Related to Bicep code label Mar 9, 2024
@jamasten jamasten added this to the March 2024 Sprint milestone Mar 12, 2024
@jamasten jamasten linked a pull request Mar 12, 2024 that will close this issue
Disabled BGP route propagation on spoke route tables #932
Merged
@jamasten jamasten self-assigned this Mar 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jamasten jamasten

Labels
bicep Related to Bicep code
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Disabled BGP route propagation on spoke route tables Azure/missionlz
1 participant
@jamasten