Manage BGP Peers in Azure Virtual WAN

This guide explains how to manage Border Gateway Protocol (BGP) peers for your Azure Virtual WAN connections. BGP is essential for dynamic routing between your on-premises networks, other cloud providers, and Azure. Managing BGP peers involves configuring, monitoring, and troubleshooting your BGP sessions.

Prerequisites

  • An existing Azure Virtual WAN deployment.
  • A Virtual WAN Hub with a VPN gateway configured.
  • On-premises VPN devices or other network devices that support BGP.
  • Network connectivity established between your on-premises device and the Virtual WAN VPN gateway.

Understanding BGP Peers in Virtual WAN

In Virtual WAN, BGP peers are established between the Virtual WAN VPN gateway and your on-premises VPN devices or other network appliances. Each peer represents a BGP connection that allows for the exchange of routing information.

Diagram illustrating BGP peers in Virtual WAN
Conceptual diagram of BGP peer connections in Azure Virtual WAN.

Configuring BGP Peers

BGP peer configuration is typically done within the settings of your Virtual WAN VPN connection or device.

Via Azure Portal

You can configure BGP peers through the Azure portal when setting up or modifying a VPN site connection:

  1. Navigate to your Virtual WAN resource in the Azure portal.
  2. Go to the "VPN sites" section.
  3. Select the VPN site you want to configure BGP for.
  4. In the site configuration, expand the "BGP settings" section.
  5. Enter the Peer IP address (the IP address of your on-premises BGP router).
  6. Enter the ASN (Autonomous System Number) of your on-premises BGP router.
  7. (Optional) Configure Peer Weight if you have multiple paths.
  8. Save the changes.

Via Azure CLI/PowerShell

You can also manage BGP peers using Azure CLI or PowerShell for automation and scripting.

Azure CLI Example:

az network vpn-connection-shared-key update --resource-group MyResourceGroup --name MyVpnConnection --connection-key "YOUR_SHARED_KEY"

Azure PowerShell Example:

Set-AzVirtualVpnConnection -VirtualVpnConnection $vpnConnection
When configuring BGP, ensure that the IP addresses and ASNs are unique and correctly set for both Azure and your on-premises environment. The Virtual WAN VPN gateway uses a private ASN (65515) by default unless specified otherwise.

Monitoring BGP Peer Status

Monitoring the status of your BGP peers is crucial for ensuring routing stability. You can check the status through the Azure portal or programmatically.

Azure Portal Monitoring

  • Navigate to your Virtual WAN Hub.
  • Select "VPN gateways" from the left-hand menu.
  • Click on the specific VPN gateway.
  • Under the "Connections" tab, you will see a list of connections. The "BGP Status" column will indicate if the peer is "Connected" or "Not Connected".
  • For more detailed information, select a specific connection and look for BGP peering details.

Azure CLI/PowerShell Monitoring

You can retrieve BGP peer status using the following commands:

Azure CLI:

az network vpn-connection show --resource-group MyResourceGroup --name MyVpnConnection --query "{Name:name, BGPStatus:connectionStatus}"

Azure PowerShell:

Get-AzVirtualVpnConnection -ResourceGroupName MyResourceGroup -Name MyVpnConnection | Select-Object Name, ConnectionStatus

Troubleshooting BGP Peer Issues

If your BGP peers are not establishing or maintaining a connection, consider the following troubleshooting steps:

  • Verify IP Addresses and ASNs: Double-check that the configured peer IP address and ASN match exactly on both ends of the connection.
  • Firewall Rules: Ensure that any firewalls (on-premises or in Azure) are not blocking BGP traffic (TCP port 179).
  • Network Connectivity: Confirm that basic IP connectivity exists between the VPN gateway and your on-premises BGP peer. Try pinging the peer IP address.
  • BGP Configuration: Review your on-premises BGP configuration for any errors, such as incorrect neighbor statements or authentication issues.
  • Virtual WAN Diagnostic Logs: Utilize Azure Network Watcher and Virtual WAN diagnostic logs to gain insights into connection attempts and BGP messages.
Incorrect BGP configuration is a common cause of routing issues. Always validate configurations carefully.

Managing BGP Routes

Once BGP peers are established, Virtual WAN dynamically exchanges routes. You can view the learned routes for your VPN connections:

  • Navigate to your Virtual WAN Hub.
  • Select "VPN gateways".
  • Click on the VPN gateway.
  • Under the "Connections" tab, select a connection.
  • You will see sections for "Ingress routes" and "Egress routes" that provide information about the routes being learned and advertised.

Next Steps

After successfully managing your BGP peers, consider exploring other aspects of Azure Virtual WAN: