This chapter covers Azure Route Server, a fully managed service that enables dynamic route exchange between network virtual appliances (NVAs) and virtual networks (VNets) using BGP. Understanding Route Server is critical for the AZ-104 exam, as it appears in approximately 5–10% of networking questions, often in scenarios involving hybrid connectivity, NVA high availability, or hub-and-spoke topologies. You will learn the internal mechanism, configuration steps, and key exam traps to avoid.
Jump to a section
Imagine a corporate campus with multiple buildings, each having its own internal phone system and a local operator. The buildings are connected by a central switchboard (the Azure backbone), but operators in different buildings cannot directly exchange directory updates—they only know their own extensions. Azure Route Server acts like a dedicated BGP hub operator sitting at the switchboard. Each building's operator (your NVA or on-premises router) establishes a BGP session with this hub operator, advertising all internal extensions (routes). The hub operator does not forward calls itself; it simply collects and redistributes the directory information to every connected operator. If Building A announces a new extension, the hub operator instantly pushes that update to all other buildings. The hub operator never modifies or filters the directory—it passes everything exactly as received. This eliminates the need for each building operator to peer directly with every other building, which would create a mesh of hundreds of sessions. Instead, each building only maintains a single BGP session to the hub, and the hub handles redistribution. The hub operator also maintains a log of all active sessions and automatically removes a building's directory if that building's line goes silent for a configured interval (BGP hold timer).
What is Azure Route Server and Why Does It Exist?
Azure Route Server is a fully managed, regional service that simplifies dynamic routing between your network virtual appliances (NVAs) and your virtual networks (VNets) using the Border Gateway Protocol (BGP). Before Route Server, to enable an NVA (like a firewall or SD-WAN appliance) to exchange routes with Azure’s infrastructure, you had to either:
Configure user-defined routes (UDRs) with static next-hop IPs pointing to the NVA, which required manual updates and didn’t adapt to failures.
Establish a complex mesh of BGP peering between the NVA and every spoke VNet’s gateway, which scaled poorly.
Route Server eliminates these pain points by acting as a BGP route reflector. It peers with your NVAs over iBGP (internal BGP) and injects the learned routes into the VNet’s routing table via Azure’s software-defined networking (SDN) controller. The key insight: Route Server does not forward data traffic—it only exchanges routing information. Data packets flow directly between NVAs and VMs without passing through Route Server.
How It Works Internally
Azure Route Server is deployed in a VNet (typically the hub VNet) and assigned a /27 subnet (minimum size). You can deploy one Route Server per VNet, and it supports up to 8 BGP peers (NVAs) per Route Server. Each NVA must be in the same VNet or a peered VNet (within the same region). The Route Server uses its own private IP addresses from the subnet to establish BGP sessions.
Step-by-step mechanism: 1. BGP Peering Establishment: Each NVA initiates a BGP TCP connection (port 179) to the Route Server’s IP. The Route Server acts as a BGP route reflector; it does not originate routes. The NVA must be configured with the Route Server IP as its BGP neighbor, and both sides must use the same ASN. By default, Azure Route Server uses ASN 65515 (a private ASN). You can optionally use a custom ASN. 2. Route Advertisement: The NVA advertises its routes (e.g., on-premises prefixes, other VNet prefixes) to the Route Server via BGP UPDATE messages. The Route Server accepts these routes and stores them in its routing table. 3. Route Reflection: The Route Server reflects the received routes to all other BGP peers (other NVAs) and also programs them into the VNet’s effective routes. This is done via the Azure SDN controller, which updates the route tables of all VMs in the VNet (and peered VNets if configured). 4. Route Withdrawal: If a BGP session goes down (e.g., NVA failure, hold timer expiry), the Route Server removes all routes learned from that peer and updates the VNet’s routes accordingly. The default BGP hold timer is 90 seconds (configurable).
Key Components, Values, Defaults, and Timers
Subnet Requirement: A dedicated subnet named RouteServerSubnet with a minimum /27 prefix (e.g., 10.0.1.0/27). Azure reserves 5 IPs in this subnet.
BGP ASN: Default is 65515 (Azure’s private ASN). You can use a custom ASN in the range 64512-65534 (private) or public ASN if you own it.
BGP Peering: Supports up to 8 peers per Route Server. Each peer must be an NVA or a router running BGP.
BGP Hold Timer: Default 90 seconds. Configurable between 0 and 3600 seconds. If set to 0, keepalives are disabled (not recommended).
BGP Keepalive Interval: Default 30 seconds (one-third of hold timer).
Route Propagation: By default, Route Server propagates routes to all VNets peered with the hub VNet (if Use Remote Virtual Network Gateway is not set on the peering). You can disable this per peering.
Route Server IPs: Two IP addresses from the subnet (active/active mode). Both must be reachable from NVAs.
Configuration and Verification Commands
To deploy Azure Route Server via Azure CLI:
# Create a resource group
az group create --name myRG --location eastus
# Create a VNet and subnet for Route Server
az network vnet create --name myVNet -g myRG --location eastus --address-prefix 10.0.0.0/16
az network vnet subnet create --name RouteServerSubnet -g myRG --vnet-name myVNet --address-prefix 10.0.1.0/27
# Create the Route Server
az network routeserver create --name myRouteServer -g myRG --hosted-subnet /subscriptions/.../subnets/RouteServerSubnet --public-ip-address myRouteServerPIP
# Add a BGP peer (NVA)
az network routeserver peering create --name myNVA1 -g myRG --routeserver myRouteServer --peer-ip 10.0.2.4 --peer-asn 65001
# Verify BGP peers
az network routeserver peering list -g myRG --routeserver myRouteServer
# View effective routes on a VM
az network nic show-effective-route-table -g myRG -n myVMNicInteraction with Related Technologies
Azure VPN Gateway: Route Server can exchange routes with VPN Gateway via BGP, enabling dynamic routing between on-premises and NVAs. However, Route Server does not directly peer with VPN Gateway; instead, the NVA peers with both.
Azure Firewall: When using Azure Firewall in a hub VNet, you can deploy Route Server to propagate routes from NVAs to spokes. Azure Firewall itself cannot be a BGP peer of Route Server (it does not support BGP).
ExpressRoute: Route Server can integrate with ExpressRoute Gateway through NVAs that are BGP-peered with both. The NVA learns on-premises routes from ExpressRoute and advertises them to Route Server.
User-Defined Routes: You can still use UDRs to override routes learned from Route Server. Route Server’s routes are added as effective routes but can be overridden by UDRs with a lower (more specific) prefix or higher priority.
Performance and Scale
Each Route Server instance can handle up to 10,000 routes from all peers combined.
BGP updates are processed within seconds; convergence time is typically under 30 seconds.
Route Server is zonal (deployed across availability zones) for high availability. If one instance fails, the other takes over transparently.
Deploy Route Server Subnet
Create a dedicated subnet named `RouteServerSubnet` within the hub VNet. The subnet must be at least /27 to accommodate the Route Server's IP addresses and Azure reserved IPs. Azure reserves five IPs in this subnet (network address, gateway, two Azure DNS, and broadcast). For example, a /27 subnet (32 IPs) yields 27 usable IPs. The subnet cannot have any other resources (VMs, NVAs) deployed in it. This step is critical because if the subnet is too small or misnamed, the deployment fails.
Create Route Server Resource
Using the Azure portal, CLI, or PowerShell, create the Route Server resource. You must specify the resource group, region (must match the hub VNet), the RouteServerSubnet ID, and a public IP (Standard SKU, static) for management. The public IP is used for BGP peering with NVAs outside Azure (if needed) but for internal NVAs, the private IPs are used. The Route Server is automatically provisioned with two VM instances for high availability, each assigned a private IP from the subnet.
Configure BGP Peering with NVAs
Add each NVA as a BGP peer on the Route Server. For each peer, provide the NVA's private IP (must be reachable from the Route Server subnet) and the NVA's ASN (must be different from the Route Server's ASN unless using allowas-in). The Route Server supports up to 8 peers. On the NVA side, configure BGP neighbor pointing to both Route Server private IPs. Use the same ASN as the Route Server (65515 by default) or a custom ASN. Ensure TCP port 179 is open on the NVA's network security group (NSG).
Verify BGP Session Establishment
After configuration, the BGP sessions should transition to the Established state. Use `az network routeserver peering list` to check the status. Each peer should show a state of 'Connected'. If the session is stuck in 'Idle' or 'Active', check connectivity (ping from NVA to Route Server IPs), ASN mismatch, or NSG rules blocking port 179. The default BGP hold timer is 90 seconds; if no keepalive is received within that period, the session drops.
Propagate Routes to VNets
Once BGP sessions are up, the Route Server automatically injects the learned routes into the effective routes of all VMs in the hub VNet and any peered VNets (if 'Use Remote Virtual Network Gateway' is disabled on the peering). You do not need to configure anything extra. To verify, check the effective route table of a VM in a spoke VNet: you should see the routes advertised by the NVA with next-hop type 'VirtualNetworkGateway' (actually the Route Server). If routes do not appear, check VNet peering settings and ensure 'Allow gateway transit' is enabled on the hub VNet.
Scenario 1: NVA High Availability with Active/Active Firewalls
A large enterprise deploys two Palo Alto Networks NVAs in an active/active configuration in the hub VNet to inspect traffic between on-premises and Azure. Each NVA advertises the same on-premises prefixes (e.g., 10.0.0.0/8) with different BGP attributes (e.g., MED, AS path). Azure Route Server peers with both NVAs and reflects both routes to the spoke VNets. The VMs in spokes now have two equal-cost paths to on-premises. Azure’s SDN controller performs ECMP (Equal-Cost Multi-Path) routing, distributing traffic across both NVAs. If one NVA fails, its BGP session drops, and Route Server withdraws its routes within 90 seconds (hold timer). Traffic seamlessly shifts to the surviving NVA. In production, we set the BGP hold timer to 30 seconds for faster convergence. One common misconfiguration: forgetting to enable IP forwarding on the NVA's NICs, which prevents the NVA from forwarding traffic between subnets.
Scenario 2: SD-WAN Integration with Multiple Branches
A retail company uses Cisco SD-WAN appliances in Azure to connect hundreds of branch offices. Each SD-WAN appliance establishes a BGP session with Azure Route Server and advertises the branch office prefixes (e.g., each /24). Route Server propagates these routes to all spoke VNets hosting application VMs. This eliminates the need for static UDRs per branch. In production, we observed that Route Server can handle up to 10,000 routes, which is sufficient for most enterprises. However, if the SD-WAN appliance advertises too many routes (e.g., /32 host routes), the route table can become bloated. We use route filtering on the NVA to advertise only summary prefixes. A common pitfall: the SD-WAN appliance and Route Server must use the same BGP ASN (or the NVA must have allowas-in enabled) to avoid AS path loop prevention dropping routes.
Scenario 3: Hybrid Connectivity with ExpressRoute and VPN Backup
A financial services firm has an ExpressRoute circuit for primary connectivity and a VPN gateway as backup. They deploy an NVA that peers with both the ExpressRoute gateway (via BGP) and the VPN gateway (via BGP). The NVA learns on-premises routes from ExpressRoute and advertises them to Azure Route Server. Route Server propagates these routes to spoke VNets. When ExpressRoute fails, the NVA withdraws the routes, and Route Server removes them from spoke VNets. The VPN gateway continues to advertise the same prefixes, but with a higher MED, so traffic prefers ExpressRoute. This setup requires careful BGP attribute manipulation on the NVA. A common misconfiguration: the NVA advertises a default route (0.0.0.0/0) to Route Server, which then propagates it to all spokes, causing all internet-bound traffic to hairpin through the NVA, which may not be intended.
The AZ-104 exam tests Azure Route Server under objective 4.4: Configure and manage virtual networking (specifically, 'Implement advanced networking features'). Expect 1–2 questions, often scenario-based where you must choose the correct configuration or outcome.
Common Wrong Answers and Why Candidates Choose Them
'Route Server forwards data traffic' – Candidates often confuse Route Server with a VPN gateway or NVA. The exam may ask: 'What is the primary function of Azure Route Server?' The wrong answer 'Forward traffic between VNets' is tempting because it sounds like a router. The correct answer is 'Exchange routing information between NVAs and Azure via BGP.' Route Server does not process data packets.
'You must deploy Route Server in every spoke VNet' – This is false. Route Server is deployed in the hub VNet and propagates routes to peered VNets. Deploying in each spoke is unnecessary and wastes IPs.
'Route Server supports BGP communities' – While BGP communities are a standard BGP feature, Azure Route Server does not honor or set BGP communities. It passes them transparently but does not act on them. The exam may test this by asking if you can use communities to filter routes; the answer is no.
'Route Server can replace Azure Firewall' – No, Route Server is a routing service, not a security appliance. It does not inspect or filter traffic.
Specific Numbers and Terms to Memorize
Subnet name: RouteServerSubnet (exact spelling, case-insensitive).
Minimum subnet size: /27.
Maximum BGP peers: 8.
Default ASN: 65515.
Maximum routes: 10,000.
BGP hold timer default: 90 seconds.
Route Server uses iBGP (ASN same as peers? No, peers can have different ASNs; Route Server uses route reflection).
Edge Cases and Exceptions
If you peer an NVA that is in a different VNet (peered), the NVA must be in the same region. Cross-region peering is not supported.
Route Server does not support BGP multipath (ECMP) on its own; ECMP is handled by Azure SDN if multiple equal-cost routes exist.
You cannot use Route Server with Azure VPN Gateway directly; they do not peer. The NVA acts as an intermediary.
If you enable 'Use Remote Virtual Network Gateway' on a VNet peering, Route Server will not propagate routes to that peered VNet. This is a common exam trap: they ask why routes are missing, and the answer is that the peering setting blocks propagation.
How to Eliminate Wrong Answers
If the question mentions 'data plane' or 'traffic forwarding', eliminate Route Server as the answer.
If the question asks for a dynamic routing solution between NVAs and VNets without manual UDRs, Route Server is correct.
If the question mentions 'BGP route reflection', that's exactly what Route Server does.
If the answer includes a subnet size smaller than /27, it's wrong.
Azure Route Server is a control-plane service that uses BGP to exchange routes between NVAs and VNets; it does not forward data traffic.
Deploy Route Server in a dedicated /27 subnet named 'RouteServerSubnet' in the hub VNet.
Route Server supports up to 8 BGP peers and can handle up to 10,000 routes.
Default BGP ASN is 65515; default hold timer is 90 seconds.
Routes are propagated to all peered VNets unless 'Use Remote Virtual Network Gateway' is enabled on the peering.
Route Server does not support BGP communities, route filtering, or cross-region peering.
For NVA high availability, use Route Server with multiple NVAs advertising the same prefixes; ECMP is handled by Azure SDN.
Common exam trap: Route Server does not replace Azure Firewall or VPN Gateway; it complements them.
These come up on the exam all the time. Here's how to tell them apart.
Azure Route Server
Dynamic route exchange via BGP; automatically adapts to topology changes.
Supports up to 8 BGP peers and 10,000 routes.
Requires BGP-capable NVAs; no manual route entries.
Convergence time under 30 seconds; failover is automatic.
Best for complex hybrid environments with multiple NVAs.
User-Defined Routes (UDRs)
Static routes; must be manually updated when topology changes.
No inherent limit on number of routes (but limited by route table size).
Works with any NVA; no BGP required.
No automatic failover; requires manual or scripted updates.
Best for simple, static environments or as a fallback.
Azure Route Server
Designed for internal route exchange within Azure (NVAs to VNets).
Does not encrypt traffic; control-plane only.
Supports up to 8 BGP peers (NVAs).
Propagates routes to all peered VNets automatically.
No data-plane throughput limits (since it doesn't forward data).
Azure VPN Gateway (BGP)
Designed for site-to-site connectivity between on-premises and Azure.
Encrypts traffic using IPsec; data-plane and control-plane.
Supports up to 30 BGP peers (site-to-site connections).
Propagates routes only to the connected VNet; requires BGP propagation settings.
Throughput limited by gateway SKU (e.g., 1.25 Gbps for VpnGw3).
Mistake
Azure Route Server forwards data traffic between NVAs and VMs.
Correct
Route Server only exchanges routing information via BGP. Data traffic flows directly between NVAs and VMs without passing through Route Server. Route Server is a control-plane service, not a data-plane forwarder.
Mistake
You must deploy Route Server in every VNet that needs dynamic routing.
Correct
Route Server is deployed in a single VNet (typically hub) and propagates routes to all peered VNets via VNet peering. You do not need to deploy it per spoke; that would waste IP addresses and management overhead.
Mistake
Route Server can be used to connect VNets across regions.
Correct
Route Server only supports BGP peers within the same Azure region. Cross-region peering is not supported. For inter-region routing, use Azure Virtual Network Gateway (VPN or ExpressRoute) or global VNet peering with UDRs.
Mistake
Route Server supports BGP communities to filter routes.
Correct
Azure Route Server passes BGP communities transparently but does not honor or act on them. You cannot use communities to filter routes on Route Server. Filtering must be done on the NVA side.
Mistake
Route Server requires a public IP for BGP peering with NVAs in the same VNet.
Correct
The public IP is used for management and for peering with NVAs outside Azure. For NVAs in the same VNet or peered VNet, Route Server uses private IPs from its subnet. The public IP is optional for internal peering.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
No, Azure Route Server does not directly peer with Azure VPN Gateway. To exchange routes between them, you must use an NVA that peers with both the Route Server and the VPN Gateway. The NVA acts as a BGP route server between the two. This is a common exam scenario: they ask how to propagate on-premises routes learned via VPN to an NVA, and the answer involves peering the NVA with both the VPN gateway (via BGP) and Route Server.
The minimum subnet size is /27 (32 IPs). This provides enough IPs for the Route Server's two private IPs, Azure reserved IPs (5), and future scaling. Using a smaller subnet (e.g., /28) will cause deployment failure. The subnet must be named 'RouteServerSubnet' (exact spelling).
Azure Route Server itself does not perform ECMP; it simply reflects routes. However, if multiple NVAs advertise the same prefix with equal AS path length and MED, Azure's SDN controller will install multiple equal-cost routes in the VNet's effective route table, enabling ECMP for traffic from VMs. This is transparent to Route Server. The exam may test this by asking if Route Server supports load balancing; the correct answer is that it enables ECMP through route reflection.
Use the Azure CLI command `az network nic show-effective-route-table -g <resource-group> -n <nic-name>` to view the effective routes on a VM's NIC. Look for routes with next-hop type 'VirtualNetworkGateway' (this indicates routes injected by Route Server). You can also check the Route Server's learned routes using `az network routeserver peering list-learned-routes -g <rg> --routeserver <name> --peering <peer-name>`. The exam may ask you to troubleshoot missing routes; the first step is to check VNet peering settings.
Azure Firewall does not support BGP, so it cannot be a direct peer of Route Server. However, you can deploy an NVA that peers with Route Server and forwards traffic to Azure Firewall. Alternatively, you can use Route Server to propagate routes from other NVAs while using Azure Firewall for traffic inspection. The exam may present a scenario where you need to choose between Route Server and UDRs for routing through Azure Firewall; typically, UDRs are used because Azure Firewall doesn't support BGP.
When the BGP session drops (due to hold timer expiry or TCP reset), Route Server immediately withdraws all routes learned from that peer. The routes are removed from the effective route tables of all VNets. The default hold timer is 90 seconds, meaning it takes up to 90 seconds for Route Server to detect the failure if keepalives stop. You can reduce this by configuring a lower hold timer on both the NVA and Route Server (via BGP configuration on the NVA; Route Server uses the peer's hold timer).
Yes, you can specify a custom ASN when creating the Route Server (using Azure CLI or PowerShell). The allowed range for private ASNs is 64512-65534. If you use a public ASN, you must own it. The default ASN is 65515. If your NVAs use the same ASN as Route Server, you must enable 'allowas-in' on the NVA to prevent BGP loop detection from dropping routes. The exam may test this by asking what to do when the ASN matches.
You've just covered Azure Route Server — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?