Skip to main content

Azure and PVE same-subnet SAM smoke

This guide captures the validated operational shape for an Azure routerd node and an on-prem Proxmox VE routerd node that exchange selected /32 addresses with Selective Address Mobility (SAM). See the Selective Address Mobility reference for resource semantics.

Azure side

  • Keep the Azure NIC secondary IP assigned in Azure. That provider-side object is what captures packets for the on-prem /32.
  • Do not let the Ubuntu guest OS hold the captured /32. cloud-init or netplan may auto-assign secondary NIC IPs; suppress that configuration or remove it. routerd enforces this during reconcile when the claim uses configureOSAddress: false by de-assigning the specific address from local interfaces.
  • Enable IP forwarding on the Azure NIC and in Linux (net.ipv4.ip_forward=1).

On-Prem PVE Side

  • Use proxy-arp capture on the LAN or bridge interface that sees the local same-subnet hosts.
  • Enable Linux forwarding. routerd enables ip_forward and proxy_arp for SAM through the normal sysctl path.
  • Permit forwarding between the capture interface and the WireGuard tunnel for the captured /32. SAM does not add firewall or NAT rules.
  • On cloud guest images, also check host firewall defaults before assuming the provider fabric is dropping packets. The router must accept the WireGuard UDP listen port, and it must permit forwarding between the capture interface and wg-hybrid. routerctl doctor hybrid warns on terminal iptables drop/reject patterns and missing SAM MSS clamp rules.

Tunnel And Routing

  • WireGuard should dial from on-prem to the Azure public IP.
  • Set persistentKeepalive on the on-prem peer so NAT and cloud edge state stay warm.
  • Run the initial smoke without UDRs. If you add UDR fallback later, avoid a same-subnet loop where Azure routes the captured /32 back to the same router that is trying to deliver it.
  • SAM delivery lowers each claim to a /32 route over the tunnel interface; it does not change the default route.

Verification

Run:

routerctl doctor hybrid

For provider-secondary-ip with configureOSAddress: false, confirm the doctor reports the captured /32 absent from local ip addr, the delivery route points at the tunnel, and ip_forward=1. For proxy-arp, confirm proxy_arp=1, the proxy neighbor exists, the delivery route points at the tunnel, and ip_forward=1.

For low-MTU overlays, confirm doctor hybrid reports a SAM MSS clamp and nft list table inet routerd_mss contains both capture-to-tunnel and tunnel-to-capture rules for the selected /32 path.