BGP MD5 Auth on Peering Setup in Azure Portal

Question

BGP MD5 Auth on Peering Setup in Azure Portal

Ryan Williams 6

Hello,

We would like to be able to apply an MD5 authentication string to our BGP peering sessions with Microsoft. It looks like there is a field for this in the Azure portal under Settings>Connections, then expand IPv4 or IPv6 and look for the MD5 Authentication Key field, but I am unable to make any edits to this field. Is this something that others have been able to successfully modify or setup?

Thanks

RW

KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2022-09-28T04:42:04.367+00:00
Hi @Ryan Williams ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you are not able to edit the MD5/Shared key of a peering.

I see you have mentioned that you are viewing the configuration from Settings>Connections.

May I request you to navigate via Overview panel?

Then navigate to the Peering in which you would like to add a MD5 hash

From there, update the shared key?

Refer :
To view Azure private peering details
To update peering configuration

Kindly let me know if this helps or you require additional information on this.

Thanks,
Kapil

----------------------------------------------------------------------------------------------------------------

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Ryan Williams 6 Reputation points

2022-09-28T20:05:02.607+00:00

I cannot view or change anything via the Overview tab either. I can't put a screenshot in here otherwise I would show you this...
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2022-09-29T05:22:02.417+00:00

Hi @Ryan Williams ,

Thanks for the update.

It's possible that you have a reader role and not a contributor role from RBAC permissions.
Refer : RBAC in Azure

Can you please check what level of permission you have on this resource?
Refer : Check access for a user to Azure resources

Make sure you have Contributor or Network Contributor role assigned.

Also, I would request you to check if Read-Only lock is applied at the resource level/resource group level?
Locks in Azure

Cheers,
Kapil
Ryan Williams 6 Reputation points

2022-09-29T15:42:25.6+00:00

I am assigned as Owner of the Resource Group. I still cannot modify the BGP MD5 Auth field. I wonder if this has something to do with this being a peering we are trying to setup in a public exchange and not a private peering? The resource group also has no locks applied to it.
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2022-09-30T04:39:10.727+00:00
Hi @Ryan Williams ,

Greetings.

This is strange.
Private, Microsoft and even Public (deprecated for new circuits) Peerings, all three support MD5 Hash.

May I ask if you have already configured this circuit and traffic is flowing?

Or is this a new set up?

Can you confirm if the Provider status is Provisioned and Circuit status is Enabled?
-

If Provider and Circuit status are as above, then I think this issue would require a deeper investigation.
So, if you have a support plan, I request you file a support ticket, else please do let us know, we will try and help you get a one-time free technical support.

Cheers,
Kapil.
Ryan Williams 6 Reputation points

2022-09-30T04:45:16.213+00:00

We have BGP up to Microsoft. All four of my configured sessions are established (without MD5 authentication). This is a new setup and we are still waiting to receive ipv4 and ipv6 route advertisements across the peering, but we are BGP neighbors at this point. I currently have Deny All Import and Export policies and am just waiting to receive route advertisements from Microsoft. I would still like to figure out why I cannot configure an MD5 auth string here. Can you tell me where I need to navigate to to check the Provider Status and Circuit Status in the Azure Portal?

Thanks,

RW
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2022-09-30T04:54:49.24+00:00

Thanks for the detailed explanation.

You can check this from the Overview Tab of ExpressRoute circuit
Ryan Williams 6 Reputation points

2022-09-30T04:58:07.11+00:00

Here is what I see in the Overview tab. I do not believe this is an ExpressRoute circuit. We have our own DWDM equipment and dark fibers to provide this circuit for us... Like I said before we are certainly BGP neighbors with Microsoft here, so that means we can talk to each other on TCP port 179 just fine. I don't think this is a circuit issue per se...
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2022-09-30T05:24:47.31+00:00

Yes.

Apologies on the confusion.
I have provided an answer addressing this.

Cheers,
Kapil

----------------------------------------------------------------------------------------------------------------

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

2 answers

Your answer

KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2022-09-28T04:42:04.367+00:00

Hi @Ryan Williams ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you are not able to edit the MD5/Shared key of a peering.

I see you have mentioned that you are viewing the configuration from Settings>Connections.

May I request you to navigate via Overview panel?

Then navigate to the Peering in which you would like to add a MD5 hash

From there, update the shared key?

Refer :
To view Azure private peering details
To update peering configuration

Kindly let me know if this helps or you require additional information on this.

Thanks,
Kapil

----------------------------------------------------------------------------------------------------------------

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Ryan Williams 6 Reputation points

2022-09-28T20:05:02.607+00:00

I cannot view or change anything via the Overview tab either. I can't put a screenshot in here otherwise I would show you this...
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2022-09-29T05:22:02.417+00:00

Hi @Ryan Williams ,

Thanks for the update.

It's possible that you have a reader role and not a contributor role from RBAC permissions.
Refer : RBAC in Azure

Can you please check what level of permission you have on this resource?
Refer : Check access for a user to Azure resources

Make sure you have Contributor or Network Contributor role assigned.

Also, I would request you to check if Read-Only lock is applied at the resource level/resource group level?
Locks in Azure

Cheers,
Kapil
Ryan Williams 6 Reputation points

2022-09-29T15:42:25.6+00:00

I am assigned as Owner of the Resource Group. I still cannot modify the BGP MD5 Auth field. I wonder if this has something to do with this being a peering we are trying to setup in a public exchange and not a private peering? The resource group also has no locks applied to it.
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2022-09-30T04:39:10.727+00:00

Hi @Ryan Williams ,

Greetings.

This is strange.
Private, Microsoft and even Public (deprecated for new circuits) Peerings, all three support MD5 Hash.

May I ask if you have already configured this circuit and traffic is flowing?

Or is this a new set up?

Can you confirm if the Provider status is Provisioned and Circuit status is Enabled?
-

If Provider and Circuit status are as above, then I think this issue would require a deeper investigation.
So, if you have a support plan, I request you file a support ticket, else please do let us know, we will try and help you get a one-time free technical support.

Cheers,
Kapil.
Ryan Williams 6 Reputation points

2022-09-30T04:45:16.213+00:00

We have BGP up to Microsoft. All four of my configured sessions are established (without MD5 authentication). This is a new setup and we are still waiting to receive ipv4 and ipv6 route advertisements across the peering, but we are BGP neighbors at this point. I currently have Deny All Import and Export policies and am just waiting to receive route advertisements from Microsoft. I would still like to figure out why I cannot configure an MD5 auth string here. Can you tell me where I need to navigate to to check the Provider Status and Circuit Status in the Azure Portal?

Thanks,

RW
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2022-09-30T04:54:49.24+00:00

Thanks for the detailed explanation.

You can check this from the Overview Tab of ExpressRoute circuit
Ryan Williams 6 Reputation points

2022-09-30T04:58:07.11+00:00

Here is what I see in the Overview tab. I do not believe this is an ExpressRoute circuit. We have our own DWDM equipment and dark fibers to provide this circuit for us... Like I said before we are certainly BGP neighbors with Microsoft here, so that means we can talk to each other on TCP port 179 just fine. I don't think this is a circuit issue per se...
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2022-09-30T05:24:47.31+00:00

Yes.

Apologies on the confusion.
I have provided an answer addressing this.

Cheers,
Kapil

----------------------------------------------------------------------------------------------------------------

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Answer 1

Hi @Ryan Williams ,

My sincere apologies.
I was providing you instructions referring to Azure ExpressRoute Peering.
i.e, Microsoft.Network/expressRouteCircuits

It appears you have been using Microsoft.Peering/peerings all along.

Refer : Azure Peering Service overview | Microsoft Learn

I am afraid Peering services are not supported in Community as of now.
So, I would request you to create a support ticket with Azure to have a deeper investigation of this issue.

Please feel free to let us know should you require additional details.

Thanks,
Kapil

----------------------------------------------------------------------------------------------------------------

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Answer 2

Ryan Williams 6

For those looking at this thread later, it turns out MS does not support MD5 on these peering connections. This is unfortunate bc MD5 based auth is a very basic and industry standard method for securing these BGP sessions. We would like to see this option supported in the future. https://learn.microsoft.com/en-us/azure/internet-peering/policy

KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2022-10-17T07:09:22.607+00:00

Hi @Ryan Williams ,

Thanks for keeping the thread updated.

Cheers,
Kapil

Share via

BGP MD5 Auth on Peering Setup in Azure Portal

2 answers

Your answer