Share via

How to publish 0.0.0.0/0 route to expressroute BGP so traffic destined to the internet will use azure firewall as gateway

Noel Turner 20 Reputation points
2025-07-09T05:40:50.1466667+00:00

I have a hosted rack in a datacentre connected to our Azure services via expressroute. The EBGP my router sees, advertises the azure VNET and peers without issue.

we want to use the Azure Firewall (probably replace with Netskope SD WAN) for internet access for the DC hosted physical machines, but I can't see how to publish a 0.0.0.0/0 to the expressroute BGP.

I have a route table with user defined routes and for any associated subnet in the local vnet changes to the route table reflect in the effective routes and the behaviour of my test VM., but I can't see how t publish this to the expressroute

Azure ExpressRoute
Azure ExpressRoute
An Azure service that provides private connections between Azure datacenters and infrastructure, either on premises or in a colocation environment.
0 comments
Accepted answer
  1. Obinna Ejidike 2,855 Reputation points
    2025-07-09T08:35:20.18+00:00

    Hi Noel Turner

    Thanks for using the Q&A platform.

    Currently, Azure’s built‑in ExpressRoute circuit won’t automatically advertise a “catch‑all” (0.0.0.0/0) back to your on‑prem router; ExpressRoute only exports the prefixes it learns unless you bring in a route management appliance. To get your on‑prem devices to send internet‑bound traffic to Azure.

    Kindly use Azure Route Server + NVA/Firewall Integration, This will require deploying Azure Route Server into your virtual network and Peering your Azure Firewall with the Route Server over BGP.

    Find https://learn.microsoft.com/en-us/azure/route-server/overview

    Alternatively, you can add a static route on your on‑prem router to the ExpressRoute peer IP, and use UDRs in Azure.

    If the response was helpful, please feel free to mark it as “Accepted Answer” and consider giving it an upvote. This also benefits others in the community.

    Regards,

    Obinna.

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Deepanshu katara 17,255 Reputation points MVP Moderator
    2025-07-09T06:26:47.48+00:00

    Hello Noel , Welcome to MS Q&A

    Pls find suggested Architecture Steps

    1. Deploy Azure Firewall or Netskope SD-WAN in a dedicated subnet.
    2. Create a UDR in Azure that sends all traffic (0.0.0.0/0) to the firewall.
    3. Use a BGP-speaking NVA (or Netskope) to advertise 0.0.0.0/0 to your on-premises router.
    4. Ensure ExpressRoute Gateway is configured to propagate routes from the NVA.
    5. On-premises router should accept the default route and prefer it for internet-bound traffic.

    Kindly check below links and image for ref

    User's image

    LINKS-->

    expressroute-faq

    stackoveflow

    Pls check and let us know if any further ques

    Kindly accept answer if it helps

    Thanks

    Deepanshu

    0 comments
  2. Noel Turner 20 Reputation points
    2025-07-11T06:33:56.2566667+00:00

    Thanks for the responses. I Found my issue with the route server being it looked like it had provisioned but because my VPN gateway which shares the gateway subnet with the express route gateway was in active-passive, not active-active it hadn't deployed properly. solved that and it worked.That said, by the time I added up the running costs of the route server and the firewall appliance, It was more cost effective to put an internet service and firewall on the DC router and run the default Microsoft peering BGP for Azure access on the express route.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.