We've deployed AWS to Azure redundant VPN connection according to article ( https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-aws-bgp ) using active-active VPN gateway. All tunnels are coming up as decribed in the article. There are two site-to-site connections on the AWS side. Each of this connection showing 0 BGP routes via "Tunnel2". Both Tunnel1 are learing routes correctly on AWS. After checking advertised routes (Azure VPN Gateway - BGP Peers), we've noticed routes sent towards peers are using next-hop from different peer (for example routes advertised to peer 169.254.21.5 have next-hop 169.254.21.2, which is different peer from different /30 subnet). Normally I would expect these routes to have the next-hop of sending interface (next-hop self) which is 169.254.21.6 in this case. When we tried to disable both connections via Tunnel1, the connectivity is broken. Is there any way to correct or workaround this behaviour?

@Miroslav_ngena Thank you for reaching out to Microsoft Q&A. I understand that you are having issues with S2S VPN connection between Azure and AWS where for 2 of the redundant connections, Tunnel 2 shows 0 BGP routes. This seems like a configuration issue to me where the BGP peer addresses may not have been configured correctly. Can you please re-check the same especially this part: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-aws-bgp#-create-connections If possible, please share the details of your configuration either in a file or snapshots so I can verify further. Thank you!

VPN connection on AWS side shows 0 BGP learned routes from Azure VPN gateway

Accepted answer

SaiKishor-MSFT 17,221 Reputation points

2022-03-03T23:49:00.27+00:00

@Miroslav_ngena Thank you for reaching out to Microsoft Q&A. I understand that you are having issues with S2S VPN connection between Azure and AWS where for 2 of the redundant connections, Tunnel 2 shows 0 BGP routes.

This seems like a configuration issue to me where the BGP peer addresses may not have been configured correctly. Can you please re-check the same especially this part: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-aws-bgp#-create-connections

If possible, please share the details of your configuration either in a file or snapshots so I can verify further. Thank you!
Please sign in to rate this answer.
snadhazi_ng 106 Reputation points

2022-03-04T10:28:07.287+00:00

@ SaiKishor-MSFT Thank you for your support. I am a colleague of @Miroslav_ngena and I am providing the requested information. As mentioned, all 4 tunnels are UP but in case of the second tunnel for each connection, no BGP prefixes are passed. We believe the reason for this is that for example in the routes advertised to 169.254.21.5 (169.254.21.4/30) there is a BGP next-hop for 169.254.21.2 (169.254.21.0/30) which is in another subnet! This next hop parameter is automatically set and we don't see options to modify it.

Please see attached an example configuration and let me know if you need something else.

180063-aws-azure.txt

SaiKishor-MSFT 17,221 Reputation points

2022-03-04T19:47:12.373+00:00

Thanks for sharing. QQ here, why are the IPs shown in the above snapshot different from the ones shared in the .txt file? Are we talking about the same VPN here or did something change?

Outside IPs as shown in the above snapshot- 13.36.60.139 & 13.37.148.251 and as shown from the .txt file are 13.48.0.145 & 13.49.48.162. Please let me know. Thank you!

snadhazi_ng 106 Reputation points

2022-03-07T06:51:19.947+00:00

Hi @SaiKishor-MSFT , thank you for your continuous support on this, we really appreciate your help.

Please disregard the actual IP address (especially the public) in the two examples as they are not relevant I believe. We have done multiple different tests and the public IP changes by default, and in some other cases we changed the APIPA IP as well to see if it makes a difference.

Could we please focus on why the next-hop points to another subnet 169.254.21.2 (169.254.21.0/30) in the routes advertised to 169.254.21.5 (169.254.21.4/30) ? The same can be observed if you use different Azure supported APIPA address (169.254.20.x/24 or 169.254.21.x/24). I believe if the configuration (that we can manipulate) would not be correct, then BGP sessions would not even establish in the first place. We have all 4 sessions up, but two won't pass any routes and we believe it is because the above mentioned next-hop (which we can't seem to be able to modify anywhere) issue.

SaiKishor-MSFT 17,221 Reputation points

2022-03-07T19:44:25.337+00:00

@snadhazi_ng Thank you! This seems like a configuration issue to me. Since I do not have access to more data, I would encourage you to reach out to Azure Support directly regarding this so you can have a live troubleshooting session with them regarding this.

If you do not already have a support contract, please send mail to AzCommunity [at] microsoft dot com with subject: "ATTN: Sai Kishor" include your Azure subscription ID and a link to this forum thread (for context). We would like to enable one time free technical support on your subscription to put you through Azure backup technical support team to get quick resolution to your issue. Thank you!

snadhazi_ng 106 Reputation points

2022-03-08T09:27:17.787+00:00

Hi @SaiKishor-MSFT , thank you for your support. We will try to open a ticket with Azure Support via our official channels and link this thread. In case that won't work for some reason I will get back to you for that one time free technical support that you mentioned!

SaiKishor-MSFT 17,221 Reputation points

2022-03-10T02:11:27.733+00:00

Please do share the support ticket with me so I can follow the case as well. I would appreciate your update. Thank you!

Miroslav_ngena 21 Reputation points

2022-03-11T14:10:02.537+00:00

@SaiKishor-MSFT
It was indeed configuration issue. We fixed it by enabling "Custom BGP Addresses" and selecting the correct Custom BGP Address on VPN connections towards AWS Tunnel2 peers.

As we are planning to automate this - is there possibility to update this configuration via AZ CLI?

Thank you for support.

SaiKishor-MSFT 17,221 Reputation points

2022-03-17T20:41:42.693+00:00

@Miroslav_ngena Thank you for updating me. I will update you soon regarding the AZ CLI commands for Custom BGO addresses. I appreciate your patience in the meanwhile. Thank you!
Sign in to comment

Share via

VPN connection on AWS side shows 0 BGP learned routes from Azure VPN gateway

0 additional answers