Azure basic Virtual Network Gateway (from generation 1, sku: VpnGw1 onwards) allows to set up multiple tunnels and configure BGP peering between remote, on-prem site.

Create VPN Gateway with BGP support

Let’s login to the Azure CLI, open Bash CLI and create new VPN gateway.

az group create -n TestBGPRG5 -l southuk
az network local-gateway create --gateway-ip-address -n Site5 -g TestBGPRG5 --local-address-prefixes --asn 65500 --bgp-peering-address

Create Local Network Gateway with BGP peers

On-Prem BGP peer 1
az network local-gateway create --gateway-ip-address -n Site5 -g TestBGPRG5 --local-address-prefixes --asn 65050 --bgp-peering-address
On-Prem BGP peer 2
 az network local-gateway create --gateway-ip-address -n Site6 -g TestBGPRG5 --local-address-prefixes --asn 65050 --bgp-peering-address

Create new VPN connections

az network vpn-connection create -g MyResourceGroup -n BGPConnection1--vnet-gateway1 MyVnetGateway --local-gateway2 MyLocalGateway1 --shared-key Abc123
az network vpn-connection create -g MyResourceGroup -n BGPConnection2--vnet-gateway1 MyVnetGateway --local-gateway2 MyLocalGateway2 --shared-key Abc123

On your on-perm device create matching VPN connection. Be aware default behaviour of route-based connections is that Azure uses as a traffic selector, you’ll need to create VTI interface (tunnel interface Cisco ASA), XFRM interface (Linux implementation) or similar depending on vendor used.

Configure BGP weight so primary connection is preferred

az network vpn-connection update -g MyResourceGroup -n BGPConnection1--routing-weight 100


To list our VPN Gateway BGP settings we can query JSON and its key:value data.

pawel@Azure:~$ az network vnet-gateway list -g ERF_RG --query [].bgpSettings

It returns data that isn’t included in table (–out table):

"asn": 65500,
"bgpPeeringAddress": "",
"bgpPeeringAddresses": [
"customBgpIpAddresses": [],
"defaultBgpIpAddresses": [
"ipconfigurationId": "/subscriptions/bdbf411d-bcc8-4098-8e7d-9b9f3cb182e4/resourceGroups/ERF_RG/providers/Microsoft.Network/virtualNetworkGateways/ikev2/ipConfigurations/default",
"tunnelIpAddresses": [
"peerWeight": 0

To list entire routing table

Azure:~$ az network vnet-gateway list-learned-routes -g My_resource_Group -n VPNGateway --out table

Leave a Comment

Your email address will not be published. Required fields are marked *