BGP advertisement

Question

BGP advertisement

Handian Sudianto 6,101

If i have 3 location connected to azure VPN Gateway with below details :

site1 subnet 10.100.0.0
site2 subnet 10.103.0.0
site3 subnet 10.107.0.0

On my site2 i can see routing to site1 10.100.0.0 is advertise from azure, so next hop from site2 will use azure bgp peer to reach site1.

It's normal behavior that azure will advertise subnet learned from bgp peer and forward to other peers, or i have some miss configuration?

Handian Sudianto 6,101 Reputation points

2025-03-28T07:24:38.5166667+00:00

Hi @Sai Prasanna Sinde

This mean from site2 can reach to site2 via azure bgp?
Sai Prasanna Sinde 6,645 Reputation points Microsoft External Staff Moderator

2025-03-28T10:05:42.1833333+00:00

@Handian Sudianto

Can you please elaborate your question? Do you mean from site 1 to site 2?
Handian Sudianto 6,101 Reputation points

2025-03-28T12:41:11.1366667+00:00
HI @Sai Prasanna Sinde

My topology is

site1 subnet 10.100.0.0

site2 subnet 10.103.0.0

site3 subnet 10.107.0.0

Example azure send advertisement site1 (10.100.0.0) to site2 and site3, and i can see in site2 and site3 routing table destination to 10.100.0.0 is advertised by azure and set the next hop via azure bgp peer ip address.

So this mean traffic from site2 or site3 will passing thru azure bgp peer even i have direct connection from site2 or site3 to site1.

Because the next hop to 10.100.0.0 using azure bgp peer ip address, the site2 and site3 can't reach to site1. So i just want to know can we passing the traffic from site2 or site3 to site1 via azure?
Sai Prasanna Sinde 6,645 Reputation points Microsoft External Staff Moderator

2025-04-01T09:55:20.5333333+00:00
Hi @Handian Sudianto

I apologize for the delay in my response.

Yes. The entire purpose of configuring BGP on the Azure VPN Gateway in a multi-site topology is precisely to allow traffic to transit through Azure between the connected sites.

If you want to transit via Azure, prioritize the Azure Path. Modify your BGP configuration on your on-premises routers (site1, site2, site3) so that the routes learned from Azure BGP are preferred over the routes learned via the direct connections for site-to-site traffic. You can achieve this using following techniques like:

Make the AS Path longer on the routes advertised over the direct links, making them less preferable to BGP.

Set a higher Local Preference on routes learned from the Azure BGP peer and adjust metrics if applicable.

Filter routes learned over the direct path if Azure transit is always desired.

This forces both outgoing and return traffic between sites to go via the Azure VPN Gateway, resolving asymmetry.

Double-check all firewall rules (on-prem and Azure) to ensure they explicitly allow traffic between 10.100.0.0, 10.103.0.0, and 10.107.0.0.

Use traceroute (Linux/macOS) or tracert (Windows) from a device in site2 destined for a device in site1. See where the packets stop. Do the same from site1 to site2. This will help pinpoint routing issues or firewall blocks.

Kindly let us know if the above helps or you need further assistance on this issue.
Handian Sudianto 6,101 Reputation points

2025-04-01T11:42:31.2066667+00:00

hi @Sai Prasanna Sinde

Thanks for your confirmation, so if traffic from site1 to site2 passing thru azure vpn gateway is there any extra cost for data egress and ingress?
Sai Prasanna Sinde 6,645 Reputation points Microsoft External Staff Moderator

2025-04-02T01:26:04.0366667+00:00

@Handian Sudianto

When using Azure VPN Gateway to connect multiple sites, there are costs associated with data egress and ingress, for the Data Transfer Costs Data coming into Azure from your on-premises network (Ingress) is generally free of charge.

Data leaving Azure to your on-premises network (Egress) incurs charges. The cost depends on the amount of data transferred and the region.

It depends upon the VPN gateway type.

Please refer to this document for more clarity on how the VPN gateway pricing works based on the Availability zone selected.

You can calculate the entire cost using Azure pricing calculator.

Please take a moment to click 'Accept answer' if the above information helped you as it is beneficial for other community members facing the same issues.

If you still have questions, please let us know what is needed in the comments so the question can be answered.

Accepted answer

0 additional answers

Your answer

Handian Sudianto 6,101 Reputation points

2025-03-28T07:24:38.5166667+00:00

Hi @Sai Prasanna Sinde

This mean from site2 can reach to site2 via azure bgp?
Sai Prasanna Sinde 6,645 Reputation points Microsoft External Staff Moderator

2025-03-28T10:05:42.1833333+00:00

@Handian Sudianto

Can you please elaborate your question? Do you mean from site 1 to site 2?
Handian Sudianto 6,101 Reputation points

2025-03-28T12:41:11.1366667+00:00

HI @Sai Prasanna Sinde

My topology is

site1 subnet 10.100.0.0

site2 subnet 10.103.0.0

site3 subnet 10.107.0.0

Example azure send advertisement site1 (10.100.0.0) to site2 and site3, and i can see in site2 and site3 routing table destination to 10.100.0.0 is advertised by azure and set the next hop via azure bgp peer ip address.

So this mean traffic from site2 or site3 will passing thru azure bgp peer even i have direct connection from site2 or site3 to site1.

Because the next hop to 10.100.0.0 using azure bgp peer ip address, the site2 and site3 can't reach to site1. So i just want to know can we passing the traffic from site2 or site3 to site1 via azure?
Sai Prasanna Sinde 6,645 Reputation points Microsoft External Staff Moderator

2025-04-01T09:55:20.5333333+00:00

Hi @Handian Sudianto

I apologize for the delay in my response.

Yes. The entire purpose of configuring BGP on the Azure VPN Gateway in a multi-site topology is precisely to allow traffic to transit through Azure between the connected sites.

If you want to transit via Azure, prioritize the Azure Path. Modify your BGP configuration on your on-premises routers (site1, site2, site3) so that the routes learned from Azure BGP are preferred over the routes learned via the direct connections for site-to-site traffic. You can achieve this using following techniques like:

Make the AS Path longer on the routes advertised over the direct links, making them less preferable to BGP.

Set a higher Local Preference on routes learned from the Azure BGP peer and adjust metrics if applicable.

Filter routes learned over the direct path if Azure transit is always desired.

This forces both outgoing and return traffic between sites to go via the Azure VPN Gateway, resolving asymmetry.

Double-check all firewall rules (on-prem and Azure) to ensure they explicitly allow traffic between 10.100.0.0, 10.103.0.0, and 10.107.0.0.

Use traceroute (Linux/macOS) or tracert (Windows) from a device in site2 destined for a device in site1. See where the packets stop. Do the same from site1 to site2. This will help pinpoint routing issues or firewall blocks.

Kindly let us know if the above helps or you need further assistance on this issue.
Handian Sudianto 6,101 Reputation points

2025-04-01T11:42:31.2066667+00:00

hi @Sai Prasanna Sinde

Thanks for your confirmation, so if traffic from site1 to site2 passing thru azure vpn gateway is there any extra cost for data egress and ingress?
Sai Prasanna Sinde 6,645 Reputation points Microsoft External Staff Moderator

2025-04-02T01:26:04.0366667+00:00

@Handian Sudianto

When using Azure VPN Gateway to connect multiple sites, there are costs associated with data egress and ingress, for the Data Transfer Costs Data coming into Azure from your on-premises network (Ingress) is generally free of charge.

Data leaving Azure to your on-premises network (Egress) incurs charges. The cost depends on the amount of data transferred and the region.

It depends upon the VPN gateway type.

Please refer to this document for more clarity on how the VPN gateway pricing works based on the Availability zone selected.

You can calculate the entire cost using Azure pricing calculator.

Please take a moment to click 'Accept answer' if the above information helped you as it is beneficial for other community members facing the same issues.

If you still have questions, please let us know what is needed in the comments so the question can be answered.

Answer 1

Hi @Handian Sudianto

The Azure VPN Gateway, when configured with BGP in a multi-site scenario, inherently advertises routes learned from one BGP peer to other connected BGP peers.

This default behavior is fundamental to enabling transit routing, which allows networks connected to the same VPN Gateway to communicate with each other seamlessly.

So, your observation that site2 is receiving a route to site1's subnet (10.100.0.0/24) advertised by the Azure VPN Gateway, with the next hop pointing to the Azure BGP peer, is indeed the normal and expected behavior in this type of configuration.

It signifies that the Azure VPN Gateway is functioning correctly by propagating the routing information learned from one connected site to another via BGP, a standard aspect of BGP transit routing in a multi-site VPN setup.

For more information, please refer the below documents:

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#bgp

https://learn.microsoft.com/en-us/azure/vpn-gateway/bgp-howto

Kindly let us know if the above helps or you need further assistance on this issue.

Share via

BGP advertisement

0 additional answers

Your answer