BGP peering IPs via Virtual Network Gateway

Gongya Yu 190 Reputation points
2024-05-28T08:05:19.2933333+00:00

I came across the following when I tested S2S VPN on Azure
In the highlighted Configure BGP section of the page, configure the following settings:

  • Select Configure BGP - Enabled to show the BGP configuration section.
  • Fill in your ASN (Autonomous System Number).
  • The Azure APIPA BGP IP address field is optional. If your on-premises VPN devices use APIPA address for BGP, you must select an address from the Azure-reserved APIPA address range for VPN, which is from 169.254.21.0 to 169.254.22.255.
  • If you're creating an active-active VPN gateway, the BGP section will show an additional Second Custom Azure APIPA BGP IP address. Each address you select must be unique and be in the allowed APIPA range (169.254.21.0 to 169.254.22.255). Active-active gateways also support multiple addresses for both Azure APIPA BGP IP address and Second Custom Azure APIPA BGP IP address. Additional inputs will only appear after you enter your first APIPA BGP IP address. Important
    • By default, Azure assigns a private IP address from the GatewaySubnet prefix range automatically as the Azure BGP IP address on the VPN gateway. The custom Azure APIPA BGP address is needed when your on premises VPN devices use an APIPA address (169.254.0.1 to 169.254.255.254) as the BGP IP. VPN Gateway will choose the custom APIPA address if the corresponding local network gateway resource (on-premises network) has an APIPA address as the BGP peer IP. If the local network gateway uses a regular IP address (not APIPA), VPN Gateway will revert to the private IP address from the GatewaySubnet range.
    • The APIPA BGP addresses must not overlap between the on-premises VPN devices and all connected VPN gateways.
    • When APIPA addresses are used on VPN gateways, the gateways do not initiate BGP peering sessions with APIPA source IP addresses. The on-premises VPN device must initiate BGP peering connections.

First, Azure APIPA BGP IP address is not there any more, does that mean Azure never use APIPA IP any more ?
Second, based on which configuration does VPN gateway configure its bgp peering IP (on-prem bgp IP) ?

Third, if the On-Prem BGP IP is not on the same subnet as Azure VGW, how does Azure configure the route to send bgp connection attempt to on-prem.

thanks !!

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,554 questions
{count} votes

1 answer

Sort by: Most helpful
  1. GitaraniSharma-MSFT 49,651 Reputation points Microsoft Employee
    2024-05-28T09:27:43.59+00:00

    Hello @Gongya Yu ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you are testing S2S VPN on Azure and have some questions related to it's BGP configuration. Please find the answers below.

    First, Azure APIPA BGP IP address is not there anymore, does that mean Azure never use APIPA IP anymore?

    Azure APIPA BGP IP address option is available in the VPN gateway when you enable BGP as below:

    User's image

    So, I would request you to validate if you selected "Configure BGP" as Enabled. If yes, could you please share a screenshot of your VPN gateway BGP configuration?

    Another important thing to note here is:

    BGP is supported on all Azure VPN Gateway SKUs except Basic SKU. So, please make sure you are NOT using a Basic SKU VPN gateway.

    Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#bgp

    Second, based on which configuration does VPN gateway configure its bgp peering IP (on-prem bgp IP)?

    Based on the BGP configuration on your local network gateway in Azure, the VPN gateway will configure it's BGP peering IP. VPN Gateway will choose the custom APIPA address if the corresponding local network gateway resource (on-premises network) has an APIPA address as the BGP peer IP. If the local network gateway uses a regular IP address (not APIPA), VPN Gateway will revert to the private IP address from the GatewaySubnet range.

    If you use an APIPA IP address (169.254.x.x) as your on-premises BGP peer IP in the local network gateway, then you'll also need to specify an APIPA IP address for your VPN gateway, otherwise the BGP session can't establish for this connection. You can enter the BGP configuration information during the creation of the local network gateway, or you can add or change BGP configuration from the Configuration page of the local network gateway resource.

    Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/bgp-howto#1-create-a-local-network-gateway

    Third, if the On-Prem BGP IP is not on the same subnet as Azure VGW, how does Azure configure the route to send bgp connection attempt to on-prem.

    The Azure network and your on-premises network is connected using a "Connection" object in Azure.

    When you configure BGP in the VPN gateway, local network gateway, the connection object and on your on-premises VPN device, it enables the Azure VPN gateways and your on-premises VPN devices, called BGP peers or neighbors, to exchange "routes" that will inform both gateways on the availability and reachability for those prefixes to go through the gateways or routers involved.

    The routes are automatically advertised to the connected BGP peers.

    Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/bgp-howto#2-configure-an-s2s-connection-with-bgp-enabled

    https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-bgp-overview

    https://en.wikipedia.org/wiki/Border_Gateway_Protocol

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.