How to setup BGP VPN connection with Azure WAN (Lessons learned)

Last few weeks I’ve been busy with setting up an Azure Virtual WAN environment with multiple VPN connections. One of them is a High available VPN with BGP connection to a Fortigate Firewall. Since this Fortigate Firewall is hosted with a 3rd party, I don’t have any screenshots or configurations on the Fortigate side. This article has been written to create awareness about the special attention required in Azure, and how to deal with them.

image 8

Before we continue, I assume that you have some experience setting up VPN connections with Azure Virtual WAN. I assume you have setup a Virtual WAN with a HUB. We will start from the HUB.

STEP 1: Create the VPN

From the Virtual HUB, go to VPN (Site to site) and click on Create new VPN site

image 9

In the next slide select the Subscription, Resource group, Region, Name and device vendor. The Private Address space can be left empty

image 10

Now fill in all the following fields, create 1 link per Firewall node

  • Linke name: Name of the link, this doesn’t need to be unique per connection, however, if you want to apply NAT rules to a specific VPN connection, it needs to be unique. So my recommendation is to use unique names over all your VPN connections
  • Link speed: Fill in the link speed limit (keep in mind the gateway speed)
  • Link Provider name: Fill in the name of the vendor device on the other end of the VPN
  • Link IP address: The public IP adres of the node
  • Link BGP address: The BGP adres of the node
  • Link ASN: Fill in the BGP ASN Address
image 11

STEP 2: Setup connection parameters

In this step we are going to configure the connection parameters. From the Virtual HUB remove the following filter:

image 12

Now select the new VPN connection, and click on Connect VPN sites

image 13

Now, fill in the required parameters. I’ve used an example set.

image 14

Now continue with the configuration on the other end and make sure the connection and connectivity gets green. (this might be delayed in the Azure Portal to show green)

Custom BGP IP Addresses

By default Azure provisions an BGP adress from your Gateway subnet. However, most devices can only work with certain ranges. So if you need to use custom adresses, follow the following steps.

Go to the Gateway Configuration

image 15

Fill in the custom BGP Addresses. You can choose an adress in the range 169.254.21.0-169.254.21.255 and 169.254.22.0-169.254.22.255

image 16

Now go to the connection properties:

image 19

Type in the custom BGP addresses used for this connection. (as configured in the step above)

image 18

If you decide to use custom BGP addresses, make sure to configure the other side as initiator because Azure will not initiate any sessions anymore.

image 17

Troubleshooting

When you notice that the connection is up and running, and the connection is green in the VPN overview. Before you bring up BGP you might be used to ping the BGP addresses from the Fortigate or any other on-prem device in to Azure. However, with the classic VPN gateways the BGP addresses used to be pingable. With Azure WAN this is NOT always the case. So do not try to ping the BGP addresses when using Azure Virtual WAN.

BGP Dashboard

From the connection itself, you can look at the BGP Dashboard

image 20

It could look like this:

image 21

Add a Comment

Your email address will not be published. Required fields are marked *