BGP Support for Azure VPN Gateway

This document provides a comprehensive overview of Border Gateway Protocol (BGP) support for Azure VPN Gateway. BGP is essential for enabling dynamic routing between your on-premises networks and Azure virtual networks.

Introduction to BGP in Azure

Azure VPN Gateway supports BGP, a dynamic routing protocol that allows your network to exchange routes with Azure. This is particularly useful for complex network topologies and for establishing more robust and scalable site-to-site VPN connections.

When you enable BGP on your VPN gateway, it acts as a BGP peer to your on-premises VPN device (or another Azure VPN gateway). This enables the exchange of network reachability information, allowing for automatic route propagation and optimal path selection.

Key BGP Features and Benefits

• Dynamic Route Exchange: Automatically advertises and receives routes from connected networks.
• Scalability: Supports larger and more complex network configurations than static routing.
• Resilience: Enables automatic failover and optimal path selection in case of network changes.
• Route Aggregation: Allows for summarization of routes, reducing the size of routing tables.
• High Availability: Facilitates seamless failover between active/active VPN gateways.

BGP Attributes

BGP uses several attributes to determine the best path. Key attributes include:

• AS Path: The sequence of Autonomous System (AS) numbers that a route has traversed.
• Next Hop: The IP address of the next router to reach the destination.
• Local Preference: Used within an AS to prefer one exit point over another.
• MED (Multi-Exit Discriminator): Used between ASes to influence the ingress path.

Supported Scenarios

BGP is highly recommended for the following scenarios:

• Large-scale Site-to-Site VPNs: Connecting multiple on-premises sites to Azure.
• Active-Active VPN Gateways: Ensuring high availability for your VPN connections.
• Transit Routing: Enabling connectivity between different virtual networks in Azure via a central VPN gateway.
• Connection to Network Virtual Appliances (NVAs): When NVAs in Azure require dynamic routing.

Configuration Steps

Enabling BGP for your Azure VPN Gateway involves a few key steps:

1. Configure BGP on your on-premises VPN device: Ensure your device supports BGP and is configured with an AS number and BGP peer IP address.
2. Create a Virtual Network Gateway: Deploy a VPN gateway in Azure. Ensure it's configured with a private IP address space that does not overlap with your on-premises networks.
3. Configure BGP Settings for the Gateway:
   • ASN: Assign a unique AS number (typically 65515 or another private AS number) to your Azure VPN Gateway.
   • BGP Peer IP Address: This is the private IP address of the gateway's BGP control plane interface (e.g., 169.254.x.x).
4. Establish a Site-to-Site Connection: Create a connection resource in Azure, linking your local network gateway (representing your on-premises device) to the VPN gateway. Enable BGP for this connection.
5. Configure BGP on your Local Network Gateway: Provide the AS number and BGP peer IP address of your on-premises VPN device within the Azure Local Network Gateway configuration.

Once configured, BGP sessions will be established, and routes will be exchanged.

# Example Azure CLI snippet (conceptual)
az network vpn-gateway create \
    --resource-group MyResourceGroup \
    --name MyVpnGateway \
    --location westus \
    --gateway-type Vpn \
    --sku VpnGw2 \
    --vpn-type RouteBased \
    --public-ip-address MyVpnGatewayPip \
    --location westus \
    --asn 65515 \
    --enable-bgp true

az network local-gateway create \
    --resource-group MyResourceGroup \
    --name MyLocalGateway \
    --location westus \
    --gateway-ip-address 203.0.113.25 \
    --asn 65500 \
    --bgp-peer-ip 10.1.1.254 # Your on-premises BGP peer IP

az network vpn-connection create \
    --resource-group MyResourceGroup \
    --name MyVpnConnection \
    --vnet-gateway1 MyVpnGateway \
    --local-gateway2 MyLocalGateway \
    --shared-key 'YourSharedKey' \
    --connection-type IPsec \
    --enable-bgp true
            

Troubleshooting BGP

If you encounter issues with BGP peering or route propagation, consider the following:

• Verify BGP Configuration: Double-check AS numbers, IP addresses, and shared keys on both Azure and on-premises devices.
• Check Network Connectivity: Ensure basic IP connectivity exists between the BGP peer IPs.
• Firewall Rules: Confirm that firewalls are not blocking BGP traffic (TCP port 179).
• Azure Portal: Use the Azure portal's "BGP peers" and "Effective routes" sections for your VPN gateway and VM network interfaces to inspect BGP status and learned routes.
• On-premises Device Logs: Examine logs on your VPN device for BGP-related error messages.

For more detailed troubleshooting steps and common issues, refer to the official Azure VPN Gateway BGP troubleshooting guide.