Azure cheat sheet for routing precedence and route path control.
- LPM (Longest Prefix Match) rules!
- Routes with the longest prefix match of the destination will be taken
- LPM == "more specific route"
- 10.0.0.0/24 is more specific than 10.0.0.0/16
- Tie breaker - Static >> BGP >> System
- Static routes
- User-defined routes
- Private Endpoints
- Service endpoints*
- Vnet Peering*
- (*) Added by the system in Effective Routes table, but you can override with UDRs - Cannot override 168.63.129.16 or 169.254.169.254
- BGP / Gateway routes
- BGP routes advertised via ExpressRoute, VPN, or by Route Server --> Inject into the whole Vnet
- VPN gateway static routes
- System routes
- Intra-Vnet direct & default to Internet
- Static routes
- Hub-and-Spoke routing
- Prefer Vnet peering over ExpressRoute or VPN Vnet-to-Vnet
- Prefer Vnet Service Endpoints (Storage & SQL) over BGP routes (forced tunneling)
- Prefer ExpressRoute over VPN in coexistence scenarios
- Prefer ExpressRoute connections with higher connection weight
- Prefer "shortest" path - honor AS PATH prepending
- Spoke-to-spoke via a single hub is NOT connected by default - Vnet peering is non-transitive
- Spoke-to-spoke via a single hub can be enabled by UDR (0.0.0.0/0 or specific spoke Vnet address space) to an NVA.
- ECMP - Equal-Cost, Multi-Path
- "When in doubt, spread..."
- Multiple paths (next hops) to the same destination
- Two UDR routes to different virtual appliances
- Active-active VPN gateway
- Multipath topology via BGP routing
- Spreading is on "flows"
- Packets of one flow always follow the same path (gateways, tunnels)
- Flow - 5-tuple (TCP/UDP)
- Prefer one path over the others
- MUST be done on BOTH ends
- Prevent asymmetric routing
- Azure --> on-premises network
- AS-prepending - create longer AS paths for certain routes
- Azure gateways will favor or prefer routes with shorter AS paths
- ExpressRoute connection weight - prefer connections with higher weights to the closer ExpressRoute circuits
- On-premises network --> Azure
- Local preference
- MUST be done on BOTH ends
What's the difference between them?
Let's go through the definition of each before we try to find the differences between them and how do they all fit together.
-
BGP table: The BGP table contains a list of prefixes that our peer has advertised to us on a BGP session.
-
Routing table: The routing table contains a list of routes we have learned from many sources, including static configuration and those learned from BGP.
-
Forwarding table: This is the actual table a router uses to make a decision on forwarding packets. Wrongly referred by many people as the "routing table". The forwarding table contains a list of effective routes.
Interaction between tables
- Routes from the BGP table would be put into the routing table unless they're malformed or some ACL (or other configuration bits) explicitly prevented it.
- Routes from the routing table would be put into the forwarding table only when they're considered valid.
- An example of an invalid route would be one that defines the next-hop IP address as an IP address that's not directly reachable on any of the router's interfaces. That route might exist in the routing table and even in the BGP table if that's how we learned it, but would never exist in the forwarding table.
- Other routes that might be in the routing table and not on the forwarding table would be overlapping routes. Based on other route's attributes like weight or AS PATH, the router would choose which route -from two routes with same destination and prefix length- should be put in the forwarding table.
- Routes in the forwarding table are considered active and effective and should be the ones initially reviewed when troubleshooting routing issues.
- The forwarding table is the source of truth for packet forwarding.