Forum Discussion
Azure Express Route Peering with on Prem Firewall
Is there any way we can have express route peer BGP directly with on Prem Firewall via /29 subnet
The firewall has active / standby and VIP.
The express route peering require two /30 . if I have an active standby and VIP on the firewall how is that going to work ?
2 Replies
For ExpressRoute BGP Peering, below the requirements:
• Azure requires two /30 subnets for private peering, one for the primary link and one for the secondary.
• If you reserve a /29 subnet, it gets split into two /30s:
o First /30 → Primary BGP session
o Second /30 → Secondary BGP session
• Each /30 provides two usable IPs:
o First IP → Your device (firewall/router)
o Second IP → Microsoft Enterprise Edge (MSEE) router
Please consider:
• VIPs are not supported for BGP peering with ExpressRoute. BGP requires dedicated IPs per physical/logical interface.
• You must configure BGP on each firewall node individually, not via the VIP.
• For high availability:
o Use two physical interfaces (or logical interfaces) on the firewall, one for each /30 subnet.
o Configure BGP sessions on both firewalls, but only the active firewall will advertise routes.
o The standby firewall should be ready to take over and establish BGP if failover occurs.
For your situation:
• Use /29 subnet: Yes, it's valid. Azure will split it into two /30s automatically.
• Assign IPs directly to firewall interfaces, not to VIP.
• Ensure your firewall supports BGP failover and can handle dual peerings.Thank you for your reply.
Ok , So lets say I did all of that. then I add the circuit to the hub. in the hub > routing > Bgp peer
it is asking me for a vNet , I dont have a vNet for the peer. it is over the Express route
