Something I had on my to-do for a while now was to post a proof-of-concept to you guys/gals about what BGP on Azure can entail… Now some of you might go; “BGP? What the hell is that?!?”. Check out the following “CBT Micro Nugget” as it is a nice high level description of what BGP is.
So why should you care? BGP can offer you a way to deal with advanced routing paths. This in turn can deliver resiliency to your business.
This will consist of the following components ;
- Four virtual networks ; VNET001, VNET002, VNET003 & VNET004
- Each VNET will have its own VPN Gateway. We’ll enable BGP on the VPN Gateway and give it its own (unique for, and private to, our deployment) ASN & peering address. The VPN Gateway will be set to “RouteBased”-routing and we’ll use a “Standard” SKU.
- Each VPN Gateway will have two connections towards the “previous” and “next” gateway. The keys per connection pair will be set to the same key and we’ll also enable BGP on the connection.
- We’ll deploy two systems into this PoC setup
- System001 will reside in VNET001
- System004 will reside in VNET004
To test our setup, we’ll execute the following scenario ;
- Connect from system001 to system004 whilst our ring is complete =>the green path will be followed
- Connect from system001 to system004 whilst having deleted the connections between VPNGW001 & VPNGW004 => the yellow path will be followed
First things first… Read up on the documentation 😉
- Overview of BGP with Azure VPN Gateways
- How to configure BGP on Azure VPN Gateways using Azure Resource Manager and PowerShell
- About VPN Gateway
Some important key points to remember ;
- BGP is not supported on the “Basic”-SKU
- BGP is not supported with “PolicyBased”-routing
Setting things up!
I’ve created five resource groups ;
Putting my test machines into a separate one (easy clean-up afterwards!) and each network into a separate one. The network resource group will host the VNET, VPN Gateway, public VPN Gateway IP & initiating connections.
So ensure that you’ll have everything setup as you should in a scenario where you would not have BGP on this “ring”. Meaning that all your connections should be set up in a “Connected”-state. 😉
Having issues getting the links connected? 9 out of 10 this will be due to not matching secrets. Though you can always debug by using the following guide!
Configuring BGP on this setup
You can follow the guide as I linked earlier on by using powershell. As I’m a big fan of the “Azure Resource Explorer“, we’ll dive a bit deeper / more direct… First ensure that the Resource Explorer is set to “Read/Write” ;
Scroll down and find the BGP settings ;
Ensure that the ASN & bgpPeeringAddress are unique per gateway! If the tier is set to “Basic”, or the vpnType is set to “PolicyBased”, then you’ll get errors whlist trying to update the configuration. Adjust the settings accordingly on all VPN gateways.
Now let’s see how this one behaves… With my ring complete I’m able to access system004 from system001 ;
Now I’ve deleted my connection… and tried again. Here I experienced a connection time out… What happened? I forgot to enable BGP on my connections. So I went to enable it (as I should have), and tried again.
It takes a bit longer, as the route needs to be found. But I’m able to connect via the “orange”-path. Meaning that I went from 001 to 004 via an indirect path traversing over 002 & 003. So it works! 😀
- After doing this PoC, I’ve learned that BGP is a good option to add resiliency & unlock more advanced networking topologies.
- Stay clear of the basic SKU and PolicyBased routing when you want to do BGP.
- An ExpressRoute Gateway is set to PolicyBased routing and you can’t mess with the BGP settings on that one.