Microsoft have make controlling routing within a Virtual WAN much easier thanks to a combination of Routing Intent and Route Maps (in preview at time of writing). Route Maps work in the same manner (at least theoretically) to route map configuratons network administrators are used to in on-premises equipment.

In testing tehm out for a customer, I ran straight into a problem. I like to keep things tidy, and when I looked at the output of the outbound route map configuration for a site to site VPN with AWS, I didn’t like that it showed all my AWS routes being published back out to the VPN. So I configured a route map rule to drop reflected routes.

The unfortunate side effect of this was that my VPN gateways lost the capability to route to AWS. Traffic would pass through the Azure Firewall in the hub and disappear into nowhere.

So, in short, don’t configure route maps to drop reflected routes to S2S VPN gateways, as the gateways will handle that themselves. I assume the same will apply to an Express Route gateway.