BGP Concepts in Azure Virtual WAN

Border Gateway Protocol (BGP) is a crucial routing protocol used in Azure Virtual WAN to enable dynamic route exchange between your on-premises networks, other Azure virtual networks, and the internet. Understanding BGP is essential for effectively managing connectivity and traffic flow within your Virtual WAN.

What is BGP?

BGP is an exterior gateway protocol (EGP) used by routers on the internet to exchange routing and reachability information. It's a path-vector routing protocol, meaning it determines the best path based on a series of attributes advertised by routers. In the context of Virtual WAN, BGP is used to automatically learn and advertise routes between different network segments.

BGP in Virtual WAN

Virtual WAN uses BGP to simplify and automate the routing process. When you connect your branch sites (via VPN or ExpressRoute) or your Azure virtual networks to a Virtual WAN hub, BGP establishes peering sessions between the Virtual WAN hub's routers and your edge devices or virtual network gateways. This allows for:

  • Dynamic Route Learning: Automatically learn routes from connected sites and VNets without manual configuration.
  • Route Advertisement: Advertise routes from your on-premises networks or VNets to the Virtual WAN hub, which then propagates them to other connected resources.
  • Scalability: Handle a large number of routes and connections efficiently.
  • Resilience: Facilitate automatic failover and optimal path selection in case of network disruptions.
BGP Overview in Virtual WAN

Key BGP Concepts

Autonomous System (AS) Number

An AS number is a unique number assigned to an autonomous system. In Virtual WAN, the Virtual WAN hub itself has a unique AS number (which you can configure or it uses a default). Your on-premises VPN devices or ExpressRoute circuits will also have their own AS numbers.

Note: For VPN connections, ensure your on-premises VPN device's AS number is not in the private AS range (64512-65534) if it conflicts with Azure's default AS number (65515). It's best practice to use a unique private AS number for your on-premises network.

BGP Peers

A BGP peer is a router with which a BGP speaker shares routing information. In Virtual WAN:

  • VPN Site to Virtual WAN Hub: BGP peers are established between your on-premises VPN device and the Virtual WAN hub's VPN gateway.
  • ExpressRoute Circuit to Virtual WAN Hub: BGP peers are established between your ExpressRoute circuit's edge router and the Virtual WAN hub's ExpressRoute gateway.
  • Virtual Network Connection to Virtual WAN Hub: The VNet's virtual network gateway (or VNet's connection to the hub) acts as a BGP peer.

BGP Attributes

BGP routers use various attributes to determine the best path to a destination. Some common attributes include:

  • AS_PATH: The list of AS numbers that a route has traversed.
  • NEXT_HOP: The IP address of the next router to which a packet should be sent.
  • LOCAL_PREF: Used within an AS to prefer one exit point over another.
  • MED (Multi-Exit Discriminator): Used to influence how external routers select paths into an AS.

Route Propagation and Filtering

Virtual WAN allows you to control which routes are propagated between different connections using BGP. This is crucial for maintaining route hygiene and preventing routing loops.

  • Route Propagation: Routes learned from one connection (e.g., a VPN site) can be advertised to other connections (e.g., other VPN sites or ExpressRoute circuits) via the Virtual WAN hub.
  • Route Filtering: You can use route filters to prevent specific routes from being advertised or learned, ensuring that only desired routes are exchanged.

BGP Configuration in Virtual WAN

When configuring connections to your Virtual WAN hub:

  • Site-to-Site VPN: You'll configure BGP settings on your on-premises VPN device, including its AS number and the IP address for the BGP peer (typically the tunnel interface IP). The Virtual WAN hub will automatically provide its BGP details.
  • ExpressRoute: You'll configure BGP on your ExpressRoute circuit, ensuring your peering router's AS number is correctly set and that it exchanges routes with the Virtual WAN ExpressRoute gateway.
  • VNet Connection: When connecting a VNet to the hub, you can optionally enable BGP to exchange routes dynamically.
Important: Ensure that your on-premises BGP configuration is compatible with the Virtual WAN hub's requirements. Check firewall rules to ensure BGP traffic (TCP port 179) is allowed between your devices and the Virtual WAN hub.

Default AS Numbers

Azure Virtual WAN hubs use specific default AS numbers:

  • VPN Gateway: 65515
  • ExpressRoute Gateway: 65500

While these are defaults, you can often override the AS number for your VPN sites' BGP peers. It is recommended to use unique AS numbers for your on-premises networks to avoid conflicts.

Troubleshooting BGP

Common BGP issues can include:

  • BGP Peering Issues: Verify IP connectivity, AS numbers, and firewall rules.
  • Route Advertisement/Learning Problems: Check BGP route filters and ensure routes are being advertised correctly from both ends.
  • Routing Loops: Ensure proper AS path attributes and avoid AS number re-use in a way that creates loops.

Azure Network Watcher tools can be invaluable for diagnosing BGP connectivity and route propagation issues within Virtual WAN.