BGP Routing in Azure Virtual WAN

Key Takeaway: Border Gateway Protocol (BGP) is crucial for enabling dynamic routing and efficient route propagation within Azure Virtual WAN. Understanding BGP concepts is essential for managing complex network topologies.

Introduction to BGP in Virtual WAN

Azure Virtual WAN leverages BGP to facilitate dynamic exchange of routing information between network devices. This protocol allows for automated learning and advertising of network prefixes, simplifying route management and enhancing network resilience. In the context of Virtual WAN, BGP is commonly used with VPN gateways and ExpressRoute connections to establish peerings and exchange routes with on-premises network devices and other cloud environments.

How BGP Works in Virtual WAN

When you establish a VPN connection or an ExpressRoute circuit to your Virtual WAN hub, you can configure BGP peering. This involves:

  • AS Numbers (ASN): Each BGP peer (your on-premises router, Azure VPN gateway, etc.) has an Autonomous System Number. Azure uses a private ASN (65515) for its VPN gateways and a public ASN for ExpressRoute connections if you're using your own.
  • BGP IP Addresses: You'll define the IP addresses that will be used for the BGP peering sessions. These are typically loopback interfaces on your routers.
  • Route Advertisement: BGP peers exchange network prefixes. Your on-premises routers can advertise their local subnets to Azure, and Azure Virtual WAN can advertise connected network routes (e.g., VNet address spaces, other VPN/ExpressRoute subnets) back to your on-premises environment.
  • Route Selection: BGP has a sophisticated path selection algorithm that determines the best path to reach a destination based on various attributes (e.g., AS_PATH, NEXT_HOP, LOCAL_PREF).

Configuring BGP with VPN Gateways

To configure BGP for a site-to-site VPN connection in Virtual WAN:

  1. Navigate to your Virtual WAN hub.
  2. Go to the "VPN (Site-to-site)" section.
  3. When creating or editing a connection, under the "BGP settings" section, enable BGP and provide the necessary AS number and BGP IP address for your on-premises VPN device.
  4. Ensure your on-premises VPN device is also configured with compatible BGP settings, including the Azure VPN gateway's BGP IP address and ASN.

Example BGP Configuration Snippet (Conceptual)

This is a conceptual example and actual syntax will vary based on your device vendor (e.g., Cisco, Juniper, Fortinet). 


// On-premises router configuration
router bgp 65001
  neighbor 192.168.100.1 remote-as 65515
  neighbor 192.168.100.1 update-source Loopback0
  network 10.10.0.0/16  // Advertise your on-premises network
  address-family ipv4 unicast
    neighbor 192.168.100.1 activate
    network 10.10.0.0/16
  exit-address-family

// Azure VPN Gateway configuration (managed through Azure portal/CLI/ARM)
// You would configure the Azure-side BGP IP and ASN.
// Azure's BGP IP is typically an internal IP used for peering.
// Azure's ASN is 65515 for VPN gateways.

BGP with ExpressRoute

When connecting ExpressRoute circuits to Virtual WAN, BGP is used to exchange routes between your on-premises network and the Azure Virtual WAN hub. This typically involves:

  • Establishing a BGP peering session over the ExpressRoute circuit.
  • Your on-premises routers advertise prefixes to Azure.
  • Azure Virtual WAN advertises routes for connected VNets and other branches.
  • You can use different ASNs for your side of the peering.
Note: For ExpressRoute circuits, you will typically use your own public ASN or a private ASN if you have specific requirements. Azure's ASN for ExpressRoute is 12076.

Benefits of Using BGP in Virtual WAN

  • Automation: Eliminates the need for manual route configuration for every network segment.
  • Scalability: Easily scales to accommodate a growing number of sites and networks.
  • Resilience: Dynamically reroutes traffic in case of link failures or network changes.
  • Optimal Path Selection: Ensures traffic takes the most efficient path to its destination.
  • Integration: Seamlessly integrates with existing on-premises routing infrastructure.

Troubleshooting BGP Issues

Common BGP issues in Virtual WAN can include:

  • BGP peering not establishing: Check IP addressing, ASNs, firewall rules, and network connectivity.
  • Routes not being advertised or received: Verify route filtering, network commands, and BGP neighbor status.
  • Incorrect route selection: Analyze BGP attributes and path selection policies.

Azure provides tools within the Virtual WAN portal and Network Watcher to monitor BGP status and troubleshoot connectivity issues.

Further Reading: