Deploy Dynamic Routing (BGP) between Azure VPN and Third-Party Firewall (Palo Alto)

Microsoft

Overview

This blog explains how to deploy dynamic routing (BGP) between Azure VPN and a third-party firewall.  You can refer to this topology and deployment guide in scenarios where you need VPN connectivity between an on-premises third-party VPN device and Azure VPN, or any cloud environment.

 

What is BGP?

Border Gateway Protocol (BGP) is a standardized exterior gateway protocol used to exchange routing information across the internet and between different autonomous systems (AS). It is the protocol that makes the internet work by enabling data routing between different networks. Here are some key points about BGP:

  1. Routing Between Autonomous Systems: BGP is used for routing between large networks that are under different administrative control, known as autonomous systems (AS). Each AS is assigned a unique number.

  2. Path Vector Protocol: BGP is a path vector protocol, meaning it maintains the path information that gets updated dynamically as routes are added or removed. This helps in making routing decisions based on path attributes.

  3. Scalability: BGP is designed to handle a large number of routes, making it highly scalable for use on the internet.

  4. Policy-Based Routing: BGP allows network administrators to set policies that can influence routing decisions. For example, administrators can prefer certain routes over others based on specific criteria such as path length or AS path.

  5. Peering: BGP peers are routers that establish a connection to exchange routing information. Peering can be either internal (within the same AS) or external (between different AS).

  6. Route Advertisement: BGP advertises routes along with various attributes such as AS path, next hop, and network prefix. This helps in making informed decisions on the best route to take.

  7. Convergence: BGP can take some time to converge, meaning to stabilize its routing tables after a network change. However, it is designed to be very stable once converged.

  8. Use in Azure: In Azure, BGP is used to facilitate dynamic routing in scenarios like connecting Azure VNets to on-premises networks via VPN gateways. This dynamic routing allows for more resilient and flexible network designs.

Switching from static routing to BGP for your Azure VPN gateway will enable dynamic routing, allowing the Azure network and your on-premises network to exchange routing information automatically, leading to potentially better failover and redundancy.

 

Why BGP?

BGP is the standard routing protocol commonly used in the Internet to exchange routing and reachability information between two or more networks. When used in the context of Azure Virtual Networks, BGP enables the Azure VPN gateways and your on-premises VPN devices, called BGP peers or neighbors, to exchange "routes" that will inform both gateways on the availability and reachability for those prefixes to go through the gateways or routers involved. BGP can also enable transit routing among multiple networks by propagating routes a BGP gateway learns from one BGP peer to all other BGP peers.

 

Diagram Diagram:BGP Between Azure VPN and Third-Party FirewallDiagram:BGP Between Azure VPN and Third-Party FirewallPre-Requisite

  • Firewall Network: Firewall with three interfaces (Public, Private, Management). Here, the LAB has configured with VM-series Palo Alto firewall.

 aaidaabu_6-1722186025246.png

  • Azure VPN Network: Test VM, Gateway Subnet
  • Test Network Connected to Firewall Network: Azure VM with UDR pointing to Firewall's Internal Interface. The test network should be peered with firewall network.

Configuration

Part 1: Configure Azure VPN with BGP enabled

  •  Create Virtual Network Gateway from marketplace
  1. Provide Name, Gateway type (VPN), VPN SKU, VNet (with dedicated Gateway Subnet), Public IP
  2. Enable BGP and provide AS number
  3. Create

aaidaabu_0-1722184691077.png

Note: Azure will auto provision a local BGP peer with an IP address from Gateway Subnet. After deployment the configuration will look similar to below. Make a note of Public IP and BGP Peer IP generated, we need this while configuring VPN at remote end.

aaidaabu_1-1722184810540.png

  • Create Local Network Gateway

Local Network Gateway represents the firewall VPN network Configuration where you should provide remote configuration parameters.

  1. Provide Name, Remote peer Public IP
  2. In the Address space specify remote BGP peer IP (/32) (Router ID in case of Palo Alto).
  3. Please note that if you are configuring static route instead of dynamic you should advertise entire remote network ranges which you want to communicate through VPN. Here BGP making this process much simpler.
  4. In Advanced tab enable BGP and provide remote ASN Number and BGP peer IP
  5. create

aaidaabu_3-1722185258870.png

aaidaabu_4-1722185351653.png

  • Create Connections with default crypto profile

Once the VPN Gateway and Local Network Gateway has provisioned you can build connection which represents IPsec and IKE configurations.

  1. Go to VPN GW and under Settings, Add Connection
  2. Provide Name, VPN Gateway, Local Network Gateway, Pre-Shared Key
  3. Enable BGP
  4. If Required, Modify IPsec and IKE Crypto setting, else leave it as default
  5. Create

aaidaabu_5-1722185685064.png

Completed the Azure end configuration, now we can move to firewall side. 

 

Part 2: Configure Palo Alto Firewall VPN with BGP enabled

 

  • Create IKE Gateway with default IKE Crypto profile
  1. Provide IKE Version, Local VPN Interface, Peer IP, Pre-shared key

aaidaabu_7-1722186115169.png

  • Create IPSec Tunnel with default IPsec Crypto profile
  1.  Create Tunnel Interface
  2. Create IPsec Tunnel: Provide tunnel Interface, IPsec Crypto profile, IKE Gateway

Since we are configuring route-based VPN, tunnel interface is very necessary to route traffic which needed to be encrypted. 

aaidaabu_9-1722186388493.png

 

IPsec TunnelIPsec Tunnel

 By this configuration your tunnel should be UP

Tunnel UP Status in Palo AltoTunnel UP Status in Palo AltoTunnel UP status In Azure VPN Gateway ConnectionTunnel UP status In Azure VPN Gateway Connection

 Now finish the remaining BGP Configurations

  • Configure a Loopback interface to represent BGP virtual router, we have provided 10.0.17.5 IP for the interface, which is a free IP from public subnet.

Loopback InterfaceLoopback Interface

  • Configure virtual router Redistribution Profile
  1.  Configure Redistribution Profile as below, this configuration ensures what kind of routers needed to be redistributed to BGP peer routers

aaidaabu_13-1722186605521.png

  • Enable BGP and configure local BGP and peer BGP parameters
  1. Provide Router ID, AS number
  2. Make sure to enable Install Route Option

aaidaabu_15-1722186713553.png

  • Configure EBGP Peer Group and Peer with Local BGP Peer IP, Remote (Azure)BGP Peer IP and Remote (Azure) BGP ASN Number.

aaidaabu_17-1722186900963.png

  • Also Specify Redistribution profile, make sure to enable Allow Redistribute Default Route, if you need to propagate default route to BGP peer router

 

aaidaabu_16-1722186741030.png

 

  • Create Static route for Azure BGP peer, 10.0.1.254/32

aaidaabu_18-1722187178718.png

 

 

  • Commit changes

Test Results

Now we can test the connectivity, we have already configured necessary NAT and default route in Firewall. You can see the propagated route in both azure VPN gateway and Palo Alto firewall.

FW NAT
Name Src
Zone
Dst
Zone

Destination

Interface

Destination Address Service NAT Action
nattovm1 any Untrust any untrust_inteface_pub_ip 3389 DNAT to VM1 IP
nattovm2 any Untrust any untrust_interface_pub_ip 3000 DNAT to VM2 IP
natto internet any Untrust ethernet1/1 default 0.0.0.0/0 SNAT to Eth1/1 
  • Stattic Route configured:

aaidaabu_27-1722187802523.png

 

  • Azure VPN GW Connection Status and Propagated routes

aaidaabu_19-1722187294252.png

  • Azure Test VM1 (10.0.0.4) Effective routes

aaidaabu_25-1722187519308.png

  • Palo Alto BGP Summary

aaidaabu_20-1722187332030.png

  • Palo Alto BGP connection status

aaidaabu_21-1722187351237.png

  • Palo Alto BGP Received Route

aaidaabu_22-1722187368196.png

  • Palo Alto BGP Propagated Route

aaidaabu_23-1722187385502.png

  • Final Forwarding table

aaidaabu_24-1722187405386.png

 

 Ping and trace result from Test VM1 to test VM2

 

aaidaabu_26-1722187666454.png

 

Conclusion:

BGP simplifies the route advertisement process. There are many more configuration options that we can try in BGP to achieve smooth functioning of routing. BGP also enables automatic redundancy and high availability. Hence, it is always recommended to configure BGP when it comes to production-grade complex networking.

 

 

 

 

0 Replies