You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: includes/virtual-wan-bypass-next-hop-ip-include.md
+13-6Lines changed: 13 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,20 +1,27 @@
1
1
---
2
2
author: flapinski
3
-
ms.author: ch erylmc
3
+
ms.author: flapinski
4
4
ms.date: 09/12/2025
5
5
ms.service: azure-virtual-wan
6
6
ms.topic: include
7
7
8
8
#This include is used in multiple articles. Before modifying, verify that any changes apply to all articles that use this include.
9
9
---
10
+
Virtual Network connections to Virtual WAN hubs have a configurable property named **VNetLocalRouteOverrideCriteria** (**Bypass Next Hop IP for workloads within this VNet** in Azure Portal).
10
11
11
-
When connecting spoke virtual networks (VNets) to Virtual WAN Hubs, you can enable Bypass Next Hop IP via a toggle in the Azure portal. For users configuring connections via other methods, set the parameter LocalVNETBypassCriteria = equals (instead of LocalVNETBypassCriteria = contains) to apply this behavior for workloads within a spoke VNet.
12
+
This property defines how traffic is routed to workloads deployed in a Virtual WAN spoke VNET when a static route is configured on the Virtual WAN spoke Virtual Network connection and **the Virtual Network address space is a subnet within the static route**.
12
13
13
-
This feature controls how traffic destined for the spoke’s address range behaves in relation to static routes configured on the connection.
14
+
-**Disabled (default)**: All traffic matching static route ranges gets redirected through the next hop, even within the spoke VNet itself
15
+
-**Enabled**: Traffic to IPs within the spoke's address space bypasses static routes and goes directly to target, while other traffic follows configured routing
16
+
17
+
You can enable this feature via the following steps:
18
+
-**Portal**: Set **Bypass Next Hop IP for workloads within this VNet** to **Yes** when creating VNet connection (default is **No**)
19
+
-**API/CLI/PowerShell**: Set `vnetLocalRouteOverrideCriteria = "equals"` (default is `"contains"`)
14
20
15
21
> [!NOTE]
16
22
> This feature can only be configured during the creation of a VNet connection. To enable it on an existing connection, you must delete and recreate the VNet connection.
17
23
>
24
+
18
25
### Design Scenario
19
26
You’ve set up a Virtual WAN Hub connected to two spokes:
20
27
@@ -27,8 +34,8 @@ A static route is configured on NVAConn to ensure that any traffic destined for
27
34
28
35
:::image type="content" source="../articles/virtual-wan/media/virtual-wan-bypass-next-hop-ip-include/static-route-bypass-next-hop-ip.png" alt-text="Screenshot that shows aforementioned static route.":::
29
36
30
-
### Traffic behavior with Bypass Next Hop IP disabled
31
-
If **Bypass Next Hop IP is disabled/LocalVNETBypassCriteria = contains**, then:
37
+
### Traffic behavior with VNetLocalRouteOverrideCriteria disabled
38
+
If **Bypass Next Hop IP for workloads within this VNet is disabled/vnetLocalRouteOverrideCriteria = contains**, then:
32
39
- Traffic from the direct spoke to a VM in the NVA spoke (e.g., 10.2.0.2) will be redirected by the static route to the load balancer (10.2.0.1). This may result in routing to an unintended VM instance (e.g., traffic intended for 10.2.0.3 is routed to 10.2.0.2 instead; path may vary based on load balancer hashing).
33
40
-**Intended traffic flow**: blue line
34
41
-**Actual traffic flow**: red line
@@ -40,7 +47,7 @@ If **Bypass Next Hop IP is disabled/LocalVNETBypassCriteria = contains**, then:
40
47
:::image type="content" source="../articles/virtual-wan/media/virtual-wan-bypass-next-hop-ip-include/disabled-broader-static-route-bypass-next-hop-ip.png" alt-text="Screenshot shows diagram of traffic flow when Bypass Next Hop IP is disabled and the traffic is not sent to a range within the spoke.":::
41
48
42
49
### Traffic Behavior With Bypass Next Hop IP Enabled
43
-
If **Bypass Next Hop IP is enabled or LocalVNETBypassCriteria = equals**:
50
+
If **Bypass Next Hop IP for workloads within this VNet is enabled/vnetLocalRouteOverrideCriteria = equals**:
44
51
- Traffic destined for an address within the NVA spoke’s prefix bypasses the static route and goes directly to the target VM (e.g., 10.2.0.3).
45
52
-**Traffic flow**: blue line from 10.0.0.1 to 10.2.0.3
46
53
- Traffic targeting an address outside the NVA spoke’s prefix (but still within the static route’s range), such as 10.2.1.1 in the indirect spoke, continues to follow the static route and is sent to the load balancer.
0 commit comments