BGP Capabilities and Limitations in Azure

Introduction

Border Gateway Protocol (BGP) is a widely used routing protocol on the Internet, designed for exchanging routing and reachability information between multiple networks. In the context of Azure Virtual Networks, BGP facilitates communication between Azure VPN gateways and your on-premises VPN devices, known as BGP peers or neighbors. It allows them to share "routes," enabling both gateways to understand the availability and accessibility of network prefixes through the respective gateways or routers. Additionally, BGP supports transit routing by sharing learned routes from one BGP peer with all other connected BGP peers, enabling efficient multi-network communication.

The BGP supports Automatic Failover VPN in Azure

If the VPN tunnel needs an Automatic Failover VPN Connection, for example, if a customer has two internet connections over two separate links, we can create an additional connection on the Azure side using the existing virtual network gateway to have a redundant connection to customers on-premise. We can configure the BGP, which supports the Azure virtual network gateway and will route traffic through the available tunnel if one connection goes down.

VPN connection redundancy

1. Using AS path prepending, you can influence routing decisions between multiple connections to your on-premises sites.
2. Azure VPN gateway will honor AS Path prepending to help make routing decisions when BGP is enabled.
3. A shorter AS Path will be preferred in BGP path selection.

For example, if there are two separate VPN connections to your on-premises router, we can enable BGP on our VPN gateway and then advertise the primary connection address prefix with a short AS path and the secondary connection address prefix with a longer AS path.

BGP Limitations in Azure

The Azure VPN gateway using BGP automatically advertises the following routes to your on-premises devices, and these cannot be excluded.

1. The Virtual network address prefixes.
2. Address prefixes for each Local Network Gateway connected to the Azure VPN gateway.
3. Routes learned from other BGP peering sessions connected to the Azure VPN gateway, excluding the default route and any routes that overlap with a virtual network prefix.

There is no way to restrict advertising to only one Address prefix from Azure to on-premises. Currently, there is no option to use Route filters to receive/advertise IP ranges for specific IP ranges on the Azure VPN Gateway.

The solution for restricting the BGP unwanted traffic.

1. The easiest way to achieve this is via on-prem routers. You will have to apply a BGP route filter to the on-prem routers.
2. Deploy the VPN directly to the spoke VNet and not choose the option to route via the remote gateway. This will only advertise the specific VNet range to the on-premises.
3. Deploy the 3rd party VPN on Azure (Network Appliances) that can do route filtering.

Summary

Most network professionals have asked me about the solution when they use the BGP on Azure VPN. Here is the solution and the limitations. If you have any further questions, feel free to contact me.