Introduction

Azure basic Virtual Network Gateway (from generation 1, sku: VpnGw1 onwards) allows to set up multiple tunnels and configure BGP peering between remote, on-prem site.

Create VPN Gateway with BGP support

Let’s login to the Azure CLI, open Bash CLI and create new VPN gateway.

az group create -n TestBGPRG5 -l southuk
 
az network local-gateway create --gateway-ip-address 23.99.221.164 -n Site5 -g TestBGPRG5 --local-address-prefixes 10.51.255.254/32 --asn 65500 --bgp-peering-address 10.51.255.254

Create Local Network Gateway with BGP peers

On-Prem BGP peer 1
 
az network local-gateway create --gateway-ip-address 23.99.221.164 -n Site5 -g TestBGPRG5 --local-address-prefixes 10.51.255.254/30 --asn 65050 --bgp-peering-address 10.51.253.254
  
On-Prem BGP peer 2
 az network local-gateway create --gateway-ip-address 185.99.271.17 -n Site6 -g TestBGPRG5 --local-address-prefixes 10.51.255.254/30 --asn 65050 --bgp-peering-address 10.51.252.254

Create new VPN connections

az network vpn-connection create -g MyResourceGroup -n BGPConnection1--vnet-gateway1 MyVnetGateway --local-gateway2 MyLocalGateway1 --shared-key Abc123
az network vpn-connection create -g MyResourceGroup -n BGPConnection2--vnet-gateway1 MyVnetGateway --local-gateway2 MyLocalGateway2 --shared-key Abc123

On your on-perm device create matching VPN connection. Be aware default behaviour of route-based connections is that Azure uses 0.0.0.0/0 as a traffic selector, you’ll need to create VTI interface (tunnel interface Cisco ASA), XFRM interface (Linux implementation) or similar depending on vendor used.

Configure BGP weight so primary connection is preferred

az network vpn-connection update -g MyResourceGroup -n BGPConnection1--routing-weight 100

Debugging

To list our VPN Gateway BGP settings we can query JSON and its key:value data.

pawel@Azure:~$ az network vnet-gateway list -g ERF_RG --query [].bgpSettings

It returns data that isn’t included in table (–out table):

[
{
"asn": 65500,
"bgpPeeringAddress": "10.51.255.254",
"bgpPeeringAddresses": [
{
"customBgpIpAddresses": [],
"defaultBgpIpAddresses": [
"10.51.255.254"
],
"ipconfigurationId": "/subscriptions/bdbf411d-bcc8-4098-8e7d-9b9f3cb182e4/resourceGroups/ERF_RG/providers/Microsoft.Network/virtualNetworkGateways/ikev2/ipConfigurations/default",
"tunnelIpAddresses": [
"51.140.63.201"
]
}
],
"peerWeight": 0
}
]

To list entire routing table

Azure:~$ az network vnet-gateway list-learned-routes -g My_resource_Group -n VPNGateway --out table

Leave a Comment

Your email address will not be published. Required fields are marked *