Share via

Connection for BGP Configuration

Anonymous
2023-08-01T21:51:09.62+00:00

Our Vnet to Vnet connection for our VPN connection forwards the on-prem routes from the opposite region. We recently turned 'off ' BGP on the connection and the on-prem routes were omitted from the (BGP) route table, but connectivity between the regions remained.

Questions:

  1. Region to Region routing in the route table going over the connection will those routes ever time out?
  2. If we enable BGP can we filter out on-prem routes from going over the Vnet to Vnet connection
  3. Can Azure take a community string from on-prem into our space in Azure?
Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,796 questions
0 comments
Accepted answer
  1. KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator
    2023-08-02T07:27:03.8466667+00:00

    @Anonymous

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I understand that you have a VNET-to-VNET VPN Connection and a Site-to-Site connection in your VPN Gateway with BGP Enabled.

    You see traffic is being forwarded from one connection to the other when BGP is enabled.

    This is an expected behavior.
    Refer : Transit routing between your on-premises networks and multiple Azure VNets

    And I am afraid we cannot influence this behavior of route exchange, as long as BGP is enabled and only allow/block traffic

    Let's consider your network architecture as below

    customerX <------VNET2VENT---------> VNetA <--------S2S-------> customerY

    Method1:

    You can consider disabling the BGP on the Connections (or one Connection which you would like to not participate in BGP Route propagation).

    Method2:

    You can configure the Firewall devices in customerX and customerY sites to only allow traffic to VNETA and block traffic to customerY and customerX respectively.

    Method3:

    However, if you'd like to keep BGP enabled and still block connections, You will need an NVA (such as Azure Firewall )

    You should attach a route table on the Gateway subnet with the routes,

    • CustomerXAddressSpace -------> Next Hop NVA
    • CustomerYAddressSpace -------> Next Hop NVA

    And in the Firewall, configure rules such that traffic between CustomerX & CustomerY are blocked and traffic between CustomerX & VNETA and CustomerY & VNETB are allowed.

    A similar example is provided here for vWAN : Custom Isolation for Virtual Networks and Branches

    You can also extend this to connections between your VNET to the CustomerX and CustomerY by forwarding traffic to the NVA from VNET Subnets and then let the NVA send traffic to VPN gateway (if allowed) or block the connection.

    Reference: https://techcommunity.microsoft.com/t5/fasttrack-for-azure/using-azure-firewall-as-a-network-virtual-appliance-nva/ba-p/1972934

    Kindly let us know if this helps or you need further assistance on this issue.

    Thanks,

    Kapil

    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.