How to setup BGP VPN connection with Azure WAN (Lessons learned)
Posted On September 27, 2023
Last few weeks I’ve been busy with setting up an Azure Virtual WAN environment with multiple VPN connections. One of them is a High available VPN with BGP connection to a Fortigate Firewall. Since this Fortigate Firewall is hosted with a 3rd party, I don’t have any screenshots or configurations on the Fortigate side. This article has been written to create awareness about the special attention required in Azure, and how to deal with them.
Before we continue, I assume that you have some experience setting up VPN connections with Azure Virtual WAN. I assume you have setup a Virtual WAN with a HUB. We will start from the HUB.
STEP 1: Create the VPN
From the Virtual HUB, go to VPN (Site to site) and click on Create new VPN site
In the next slide select the Subscription, Resource group, Region, Name and device vendor. The Private Address space can be left empty
Now fill in all the following fields, create 1 link per Firewall node
Linke name: Name of the link, this doesn’t need to be unique per connection, however, if you want to apply NAT rules to a specific VPN connection, it needs to be unique. So my recommendation is to use unique names over all your VPN connections
Link speed: Fill in the link speed limit (keep in mind the gateway speed)
Link Provider name: Fill in the name of the vendor device on the other end of the VPN
Link IP address: The public IP adres of the node
Link BGP address: The BGP adres of the node
Link ASN: Fill in the BGP ASN Address
STEP 2: Setup connection parameters
In this step we are going to configure the connection parameters. From the Virtual HUB remove the following filter:
Now select the new VPN connection, and click on Connect VPN sites
Now, fill in the required parameters. I’ve used an example set.
Now continue with the configuration on the other end and make sure the connection and connectivity gets green. (this might be delayed in the Azure Portal to show green)
Custom BGP IP Addresses
By default Azure provisions an BGP adress from your Gateway subnet. However, most devices can only work with certain ranges. So if you need to use custom adresses, follow the following steps.
Go to the Gateway Configuration
Fill in the custom BGP Addresses. You can choose an adress in the range 169.254.21.0-169.254.21.255 and 169.254.22.0-169.254.22.255
Now go to the connection properties:
Type in the custom BGP addresses used for this connection. (as configured in the step above)
If you decide to use custom BGP addresses, make sure to configure the other side as initiator because Azure will not initiate any sessions anymore.
When you notice that the connection is up and running, and the connection is green in the VPN overview. Before you bring up BGP you might be used to ping the BGP addresses from the Fortigate or any other on-prem device in to Azure. However, with the classic VPN gateways the BGP addresses used to be pingable. With Azure WAN this is NOT always the case. So do not try to ping the BGP addresses when using Azure Virtual WAN.
From the connection itself, you can look at the BGP Dashboard