Routing Behavior with VNet Peering and Shared ExpressRoute Circuit

Question

Routing Behavior with VNet Peering and Shared ExpressRoute Circuit

Alex H 105

Hi, I have a question regarding routing behavior when two VNets are connected to the same ExpressRoute (ER) circuit, and VNet peering is configured with "Use remote gateway" disabled.

Topology:

VNET1 (10.1.0.0/16) ---- ER circuit (on-prem 10.3.0.0/16) ---- VNET2 (10.2.0.0/16)

My Understanding:

Without VNet peering:

Inter-VNet traffic (e.g. 10.1.0.0/16 to 10.2.0.0/16) is routed via the ER circuit - which is NOT desirable.

With VNet peering enabled and "Use remote gateway" disabled:

Inter-VNet traffic should flow directly via VNet peering, not through the ER circuit.
Each VNet continues to advertise its own address space to the ER circuit, maintaining direct on-prem connectivity and avoiding asymmetric routing.

If both VNets advertise 0.0.0.0/0 (originating from an NVA behind Route Server via BGP) to the ER circuit, then:

The ER circuit receives two 0.0.0.0/0 routes and performs ECMP to both VNets.
By assigning a higher weight to the connection to VNet1 (e.g. 50 for VNet1 vs. 0 for VNet2), on-prem Internet-bound traffic will prefer the VNet1 path.

Could you please confirm if this understadning is correct?

Reference from ExpressRoute FAQ:

Can virtual networks linked to the same ExpressRoute circuit talk to each other?

Yes. Virtual machines deployed in virtual networks connected to the same ExpressRoute circuit can communicate with each other. We recommend setting up virtual network peering to facilitate this communication.

How are virtual networks advertised on ExpressRoute private peering?

The ExpressRoute gateway advertises one or more Address Space of the Azure virtual network, which you can't include/exclude at the subnet level. It's always the virtual network address space that gets advertised. If virtual network peering is used and the peered virtual network has "Use remote gateway" enabled, the address spaces of the peered virtual network also get advertised.

Silvia Wibowo 6,056 Reputation points Microsoft Employee Volunteer Moderator

2025-07-24T03:38:17.89+00:00
Hi @Alex H ,

Without VNet peering:

Inter-VNet traffic (e.g. 10.1.0.0/16 to 10.2.0.0/16) is routed via the ER circuit - which is NOT desirable.

Correct.

With VNet peering enabled and "Use remote gateway" disabled:

Inter-VNet traffic should flow directly via VNet peering, not through the ER circuit.

Each VNet continues to advertise its own address space to the ER circuit, maintaining direct on-prem connectivity and avoiding asymmetric routing.

Correct.

If both VNets advertise 0.0.0.0/0 (originating from an NVA behind Route Server via BGP) to the ER circuit, then:

The ER circuit receives two 0.0.0.0/0 routes and performs ECMP to both VNets.

By assigning a higher weight to the connection to VNet1 (e.g. 50 for VNet1 vs. 0 for VNet2), on-prem Internet-bound traffic will prefer the VNet1 path.

NVA injects default route to Azure Route Server. Azure Route Server puts the default route to virtual network's system routes, including to all other vnets directly peered to the vnet where the Azure Route Server is located in. NVA will not inject default route to Express Route Gateway. Default route can be advertised from on-prem routers to do "forced-tunnelling", i.e. any traffic from Azure will go to on-prem, but Azure side will never advertise default route to on-prem routers.
Praveen Bandaru 6,850 Reputation points Microsoft External Staff Moderator

2025-07-25T02:00:57.3366667+00:00

Hello Alex H
I just wanted to follow up and see if you had a chance to review my response to your question. Please let us know if it was helpful, and feel free to reach out if you have any further queries.

Hope the above answer helps! Please let us know do you have any further queries.

Please do not forget to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Accepted answer

0 additional answers

Your answer

Silvia Wibowo 6,056 Reputation points Microsoft Employee Volunteer Moderator

2025-07-24T03:38:17.89+00:00

Hi @Alex H ,

Without VNet peering:

Inter-VNet traffic (e.g. 10.1.0.0/16 to 10.2.0.0/16) is routed via the ER circuit - which is NOT desirable.

Correct.

With VNet peering enabled and "Use remote gateway" disabled:

Inter-VNet traffic should flow directly via VNet peering, not through the ER circuit.

Each VNet continues to advertise its own address space to the ER circuit, maintaining direct on-prem connectivity and avoiding asymmetric routing.

Correct.

If both VNets advertise 0.0.0.0/0 (originating from an NVA behind Route Server via BGP) to the ER circuit, then:

The ER circuit receives two 0.0.0.0/0 routes and performs ECMP to both VNets.

By assigning a higher weight to the connection to VNet1 (e.g. 50 for VNet1 vs. 0 for VNet2), on-prem Internet-bound traffic will prefer the VNet1 path.

NVA injects default route to Azure Route Server. Azure Route Server puts the default route to virtual network's system routes, including to all other vnets directly peered to the vnet where the Azure Route Server is located in. NVA will not inject default route to Express Route Gateway. Default route can be advertised from on-prem routers to do "forced-tunnelling", i.e. any traffic from Azure will go to on-prem, but Azure side will never advertise default route to on-prem routers.
Praveen Bandaru 6,850 Reputation points Microsoft External Staff Moderator

2025-07-25T02:00:57.3366667+00:00

Hello Alex H
I just wanted to follow up and see if you had a chance to review my response to your question. Please let us know if it was helpful, and feel free to reach out if you have any further queries.

Hope the above answer helps! Please let us know do you have any further queries.

Please do not forget to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 1

Praveen Bandaru 6,850 Microsoft External Staff Moderator

Hello Alex H

I see you're looking to clarify how routing works between VNets connected to the same ExpressRoute circuit, particularly in relation to VNet peering and remote gateway configurations.Yes, your understanding is absolutely correct.

Without VNet peering, traffic between VNET1 and VNET2 would go through the ExpressRoute circuit to on-premises, which isn't ideal because of increased latency and costs. Without VNET peering VNET1 and VNET2 wouldn't communicate.
And your understanding of peering is also correct. With peering enabled and the remote gateway disabled, traffic between the VNets travels directly instead of being routed back through the ExpressRoute circuit, resulting in more efficient routing. But you can't communicate with VNET2 from your on-premises.
Each VNet uses its own gateway for on-premises connectivity, which helps prevent asymmetric routing and keeps traffic paths straightforward.
Regarding address space advertisement, you're spot-on. When each VNet advertises its address space to the ER circuit, it helps avoid routing issues like asymmetric routing. If both VNets advertise default routes to the ER circuit, express rote will receive two 0.0.0.0/0 routes. ECMP will be used unless weights are set.
Setting a higher BGP weight for VNET1 will direct on-premises traffic to use VNET1 for Internet bound routes. This approach is a standard and effective design for managing outbound path selection.

Hope the above answer helps! Please let us know do you have any further queries.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members

Alex H 105 Reputation points

2025-07-27T23:38:28.19+00:00

Thank you. I have a quick follow-up question regarding VNET-to-VNET traffic.

To ensure traffic between VNETs prefers VNET peering rather than routing through the ExpressRoute (ER) circuit, does the following setting need to be disabled on the ER gateway in both VNETs?

"Allow traffic from remote virtual networks"

It is currently enabled for some reason, but I would like to confirm whether it must be disabled before we create VNET peering? VNET peering will be configured with “Use remote gateway” disabled on both ends.
Praveen Bandaru 6,850 Reputation points Microsoft External Staff Moderator

2025-07-28T04:37:31.17+00:00

Hello Alex H
Thank you for your response. I have initiated a private message please share the required information there so we can connect and discuss on your further quires.
Alex H 105 Reputation points

2025-07-28T06:38:50.5533333+00:00
Thanks Praveen Bandaru, I have a quick follow-up question regarding VNET-to-VNET traffic.

To ensure traffic between VNETs prefers VNET peering rather than routing through the ExpressRoute (ER) circuit, does the following setting need to be disabled on the ER gateway in both VNETs?

"Advertise network routes to remote peered virtual networks" ```It is currently enabled, but I would like to confirm whether it must be disabled before we create VNET peering. VNET peering will be configured with “Use remote gateway” disabled on both ends.
Praveen Bandaru 6,850 Reputation points Microsoft External Staff Moderator

2025-07-28T11:03:58.01+00:00

Hello Alex H
Yes, you should disable the "Advertise network routes to remote peered virtual networks" setting on the ER gateway for both VNets.

This will make sure that VNET-to-VNET traffic uses VNET peering instead of the ER circuit. You should also disable the remote gateway option.

Hope the above answer helps! Please let us know do you have any further queries.

Please do consider to "accept answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members
Praveen Bandaru 6,850 Reputation points Microsoft External Staff Moderator

2025-07-29T02:44:52.2333333+00:00

Hello Alex H
I just wanted to follow up and see if you had a chance to review my response to your question. Please let us know if it was helpful, and feel free to reach out if you have any further queries.

Hope the above answer helps! Please let us know do you have any further queries.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Praveen Bandaru 6,850 Reputation points Microsoft External Staff Moderator

2025-07-30T00:28:21.6433333+00:00

Hello Alex H

I just wanted to follow up and see if you had a chance to review my response to your question. Please let us know if it was helpful, and feel free to reach out if you have any further queries.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.
Praveen Bandaru 6,850 Reputation points Microsoft External Staff Moderator

2025-07-31T02:19:59.95+00:00

Hello Alex H

I just wanted to follow up and see if you had a chance to review my response to your question. Please let us know if it was helpful, and feel free to reach out if you have any further queries.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.

Share via

Routing Behavior with VNet Peering and Shared ExpressRoute Circuit

0 additional answers

Your answer