Azure Virtual WAN Documentation

How to Configure ExpressRoute Traffic with Virtual WAN BGP

This guide walks you through the process of configuring Azure Virtual WAN to effectively manage traffic routing with ExpressRoute using Border Gateway Protocol (BGP).

Prerequisites

  • An existing Azure Virtual WAN hub.
  • An established ExpressRoute circuit connected to your Virtual WAN hub.
  • The ExpressRoute circuit provider must support BGP peering.
  • Familiarity with BGP concepts and IP routing.

Understanding BGP in Virtual WAN

In Azure Virtual WAN, BGP is used to dynamically exchange routing information between your on-premises network (via ExpressRoute) and the Virtual WAN hub. This allows for automated route propagation and efficient traffic management.

Step 1: Configure ExpressRoute Gateway in Virtual WAN Hub

Ensure your Virtual WAN hub has an ExpressRoute gateway configured. If not, you'll need to create one through the Azure portal or Azure CLI.

Azure Portal:

  1. Navigate to your Virtual WAN resource.
  2. Under "Connectivity," select "Virtual hub."
  3. Click on the hub you want to configure.
  4. In the hub's menu, select "ExpressRoute."
  5. Click "+ Add ExpressRoute gateway."
  6. Configure the gateway settings (e.g., name, capacity, scale units) and click "Create."

Step 2: Configure BGP Peering on ExpressRoute Circuit

This step is typically performed in conjunction with your ExpressRoute provider. You'll need to exchange BGP information, including Autonomous System Numbers (ASNs) and IP addresses, to establish the peering connection.

Key BGP parameters to consider:

  • Local ASN: The ASN of your Virtual WAN hub's ExpressRoute gateway (this is assigned by Azure, usually 65515).
  • Peer ASN: The ASN of your on-premises network's edge router.
  • BGP Peer IP Address: The private IP address on your on-premises edge router that will peer with the ExpressRoute gateway.
  • Microsoft Peering IP Address: The private IP address assigned to the ExpressRoute gateway for Microsoft peering.

Your ExpressRoute provider will guide you on how to configure your side of the BGP peering using these details.

Step 3: Configure Route Tables and Route Distribution

Virtual WAN uses route tables to control traffic flow. You can influence how routes learned via BGP from ExpressRoute are propagated to other connections (like VPNs or other VNets).

Default Route Table Behavior:

By default, routes learned from the ExpressRoute gateway are associated with the hub's default route table. This table is then propagated to connected VNets and VPN sites.

Custom Route Tables and Route Propagation:

For more granular control, you can create custom route tables and configure route propagation:

  1. Navigate to your Virtual WAN hub.
  2. Under "Routing," select "Route tables."
  3. Create a new route table if needed.
  4. Select the route table you want to configure.
  5. Under "Connections," associate the connections (e.g., ExpressRoute circuit) that should propagate routes *to* this route table.
  6. Under "Labels," associate the labels of connections (e.g., VNets, VPN sites) that should *receive* routes *from* this route table.

Step 4: Advertising Routes to ExpressRoute

You need to ensure your on-premises network advertises the necessary routes to the Virtual WAN hub via BGP. This is configured on your on-premises edge router.

Common Configuration:

  • Configure your on-premises edge router to peer with the ExpressRoute gateway using the agreed-upon ASNs and IP addresses.
  • Advertise your on-premises network prefixes (e.g., your private IP address ranges) to the ExpressRoute gateway via BGP.

Example (Conceptual - router-specific commands will vary):


configure terminal
router bgp 
 neighbor  remote-as 65515
 neighbor  update-source 
 !
 address-family ipv4 unicast
  network  mask 
  neighbor  activate
 exit-address-family
!
end

Step 5: Verifying BGP Status and Routes

After configuration, it's crucial to verify the BGP peering status and the routes being exchanged.

Verifying BGP Status:

In the Azure portal, navigate to your Virtual WAN hub -> ExpressRoute gateway. You should see the BGP peering status as "Established."

You can also use CLI commands:


az network vwan express-route-gateway list --resource-group  --vwan-name 
# Further commands might be needed for detailed peering status, often found under the hub's ExpressRoute section.

Verifying Routes:

In Virtual WAN Hub (Azure Portal):

  1. Navigate to your Virtual WAN hub.
  2. Under "Routing," select "Route tables."
  3. Select the relevant route table (e.g., Default) and view the "Routes" tab. You should see routes learned from your ExpressRoute connection.

On your On-Premises Router:

Use your router's native commands to check BGP neighbor status and the routes received from Azure.

Important Note: Ensure that the IP prefixes you advertise from your on-premises network do not overlap with Azure's internal address spaces.

Common Scenarios and Considerations

  • High Availability: Configure redundant ExpressRoute circuits and BGP peering to ensure continuous connectivity.
  • Route Summarization: Use route summarization on your on-premises router to reduce the number of routes advertised to the Virtual WAN hub, improving BGP stability.
  • Route Filtering: Implement route filtering (e.g., using route maps or prefix lists) on your on-premises router to control which routes are advertised to and received from Azure.
  • Community Tags: Utilize BGP communities to tag routes and influence routing decisions within Azure.

Troubleshooting BGP Issues

  • Verify BGP configurations on both Azure and your on-premises edge devices.
  • Check for IP address conflicts.
  • Ensure firewalls are not blocking BGP traffic (TCP port 179).
  • Confirm that the correct ASNs and IP addresses are used.
  • Review logs on your on-premises router for BGP negotiation errors.

By following these steps, you can successfully configure ExpressRoute traffic with Azure Virtual WAN using BGP for robust and automated network routing.