Vpn BGP Peer

Question

Vpn BGP Peer

Handian Sudianto 6,726

My Azure VPN peer is 10.xx.xx.xx and 10.xxx.xx.xx

User's image

But why in the Monitor - BGP Peer the local address is 10.xxx.xx.xx and 10.xxx.xx.xx (not 10.xxx.xx.xx and 10.xxx.xx.xx)?

User's image

removed PII information

Answer accepted by question author

0 additional answers

Your answer

Answer 1

Marcin Policht 76,075 MVP Volunteer Moderator

AFAIK, in Azure VPN Gateway with BGP enabled, the addresses you see under the Monitor - BGP Peer section represent the local IP addresses of the VPN gateway that participate in the BGP session, not the remote peer addresses.

When you configure BGP over an IPsec VPN, there are two sides: your on-premises (or remote) peer and the Azure VPN gateway. The peer addresses you mentioned, 10.201.0.4 and 10.201.0.5, are the IP addresses of your on-premises devices or the remote VPN devices. Azure assigns its own internal IPs for the VPN gateway side of the connection, which are usually the next available IPs in the subnet used for the tunnel interface. In your case, Azure chose 10.201.0.6 and 10.201.0.7 as the local BGP endpoints for the gateway, and these are the addresses used by your VPN gateway to advertise routes via BGP.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Handian Sudianto 6,726 Reputation points

2026-01-18T07:25:17.2133333+00:00

Hi.. Azure BGP ip address is 10.201.0.4 and 10.201.0.5 then the interfave ip 10.201.0.6 is paired with which peer ip, .4 or .5?
Marcin Policht 76,075 Reputation points MVP Volunteer Moderator

2026-01-18T12:29:15.64+00:00
Azure assigns one BGP interface IP per gateway instance, but the mapping to your advertised peer IPs is not one-to-one in a fixed way.

If you are using an active-active VPN gateway, Azure brings up two tunnel instances. Each instance gets its own BGP interface IP (in your case 10.201.0.6 and 10.201.0.7). You supply two on-premises BGP peer IPs (10.201.0.4 and 10.201.0.5). When the tunnels come up, Azure negotiates BGP using whichever local instance connects to whichever on-premises peer. That means 10.201.0.6 does not always map only to .4 or only to .5. Instead, each Azure BGP IP can establish a session with either of your peer IPs, depending on which tunnels succeed first and which links are active.

In steady state, you normally see two BGP sessions:

Azure instance A 10.201.0.6 peered with one of your devices (10.201.0.x)

Azure instance B 10.201.0.7 peered with the other device (10.201.0.y)

The exact pairing may swap if tunnels are reset or one device fails. Azure does not bind a specific local BGP IP permanently to a specific peer IP. It simply tries to form BGP sessions across available tunnels until two stable sessions exist.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin
Handian Sudianto 6,726 Reputation points

2026-01-18T13:22:34.3566667+00:00

Hi.. 10.201.0.4 and .5 is not my onprem peer ip but both ip is bgp ip from azure side. My onprem bgp ip is 10.210.0.103 and 10.210.0.203
Marcin Policht 76,075 Reputation points MVP Volunteer Moderator

2026-01-18T15:05:46.35+00:00

Apologies - clearly I misread your earlier post. When you configure an active-active VPN gateway in Azure with BGP, each tunnel on the Azure side has two sets of IPs: the BGP IP and the tunnel interface IP. The BGP IPs (10.201.0.4 and 10.201.0.5 in your case) are what Azure uses internally to identify the BGP endpoints on each VPN instance. These are the addresses advertised as the "local BGP peer" to your on-premises devices (10.210.0.103 and 10.210.0.203).

So the interface IPs you see in Monitor - BGP Peer (10.201.0.6 and 10.201.0.7) would be the actual IP addresses of the VPN gateway tunnel interfaces. Each tunnel interface is paired with one of the on-premises BGP peers for the BGP session. Typically, Azure maps them like this:

10.201.0.6 (Azure tunnel interface) ↔ 10.210.0.103 (on-prem BGP peer)

10.201.0.7 (Azure tunnel interface) ↔ 10.210.0.203 (on-prem BGP peer)

The BGP session shows your local address as the tunnel interface (10.201.0.6 / 0.7) and the peer as your on-prem BGP IP (10.210.0.103 / 0.203). The BGP IPs (10.201.0.4 / 0.5) are used internally by Azure for route advertisement but are not the interface IPs that terminate the VPN tunnel.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin
Handian Sudianto 6,726 Reputation points

2026-01-19T00:40:53.62+00:00

Thanks

Share via

Vpn BGP Peer

0 additional answers

Your answer