Multi Cloud Site to Site VPN

Question

While finding some VPN troubleshooting I found this discussion. I'm planing to complete a POC for multi cloud VPN tunnels between Azure, AWS and Google Cloud. VPN looks easy to configure without BGP (where APIPA are mentioned). I have a couple of questions may be this group can answer. At each cloud side they ask for ASN and BGP APIPA. How to get those values? Let's say if I'm setting up a VPN between Azure and AWS, then what would be the ASN at each side and what would be the BGP at each end? Also if I peer Azure with Google, again what would be the ASN and APIPA for Azure and Google cloud? I understand that some specific values are reserved for each environment . How to understand without copy and paste from online tutorials?

Answer

@Suman Bikram Singh ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to know about ASN and BGP.

Note that Microsoft Q&A platform is used to discuss products and issues related to Azure. ASN and BGP are industry standards which Azure supports. I would suggest you to refer to official IANA documents and RFC for accurate and up to date information on them.

With that said,

ASN :

Autonomous System, simply put, is a large network or group of networks that has a unified routing policy.
Each AS is assigned an official number - which we call autonomous system number ASN
Every organization reserves certain ASNs for their own
- Certain ASNs reserved by Azure are
  - Public ASNs: 8074, 8075, 12076
  - Private ASNs: 65515, 65517, 65518, 65519, 65520
NOTE: You can use one of the above Private ASNs in your VPN Gateway or any one from the range of ASNs defined in Section 5 of RFC (for Private use)
When you create a VPN Gateway, you are creating it on a VNET (a Network). And when you assign an ASN to the VPN Gateway, you are actually assigning a ASN to the Network represented by the VPN Gateway

BGP :

This is a route exchange protocol. Simply put, it enables two AS to share the network address spaces for routing. (Traffic Selectors)
- From Azure perspective, this automates the role of LNG - where you are explicitly required to share the address space of the connecting party
- With BGP, you don't have to specify the remote address space manually and in the remote side you don't have to specify the Azure's address range manually.
Azure assigns a private IP address from the GatewaySubnet prefix range automatically as the Azure BGP IP address on the VPN gateway.
This remote side, talks to this IP Address to learn Azure's route and advertise their routes to Azure.
- You should be able to see it from the Portal once you enable BGP
Similarly, you will be expected to input a IP address from Remote side, to which Azure VPN Gateway can talk to learn Remote's route and advertise Azure's routes to the remote.

More information on ASN :

More information on BGP :

https://www.rfc-editor.org/rfc/rfc4271

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Tunnel	Primary Custom BGP Address	Secondary Custom BGP Address
AWS Tunnel 1 to Azure Instance 0	169.254.21.2	Not used (select 169.254.21.6)
AWS Tunnel 1 to Azure Instance 0	169.254.21.2	Not used (select 169.254.21.6)
AWS Tunnel 2 to Azure Instance 0	169.254.22.2	Not used (select 169.254.21.6)
AWS Tunnel 1 to Azure Instance 1	Not used (select 169.254.21.2)	169.254.21.6
AWS Tunnel 2 to Azure Instance 1	Not used (select 169.254.21.2)	169.254.22.

Share via

Multi Cloud Site to Site VPN

1 answer

Your answer