There exists an asymmetric routing scenario that is similar to that at AWS. To expose this issue you need a VNet that is peered to the sharedservices VNet with gateway transit enabled. Additionally you need a VM with an external IP that you are trying to reach from campus. With all of these pieces in place, packets sent from campus to the external IP will return to campus via the ExpressRoute and be dropped by the initiating host.
To get around this we will create two subnets in the customer VNet - one "private", one "public". A user defined route (UDR) will need to be created and then associated with the public subnet. The UDR will list all campus IP ranges with a next hop of "Internet".
With the UDR in place the opposite asymmetric route will be true. A campus system, trying to reach the 10 space address of an Azure VM on the public subnet, will fail.
IPv4 Global Address Blocks Owned and Managed by Cornell
Cornell owns and manages the following publicly routable IPv4 global address blocks:
- 128.84.0.0/16
- 128.253.0.0/16
- 132.236.0.0/16
- 192.35.82.0/24
- 192.122.235.0/24
- 192.122.236.0/24