Jul 28 2024 11:13 AM - edited Jul 29 2024 03:19 AM
This blog explains how to deploy dynamic routing (BGP) between Azure VPN and a third-party firewall. You can refer to this topology and deployment guide in scenarios where you need VPN connectivity between an on-premises third-party VPN device and Azure VPN, or any cloud environment.
Border Gateway Protocol (BGP) is a standardized exterior gateway protocol used to exchange routing information across the internet and between different autonomous systems (AS). It is the protocol that makes the internet work by enabling data routing between different networks. Here are some key points about BGP:
Routing Between Autonomous Systems: BGP is used for routing between large networks that are under different administrative control, known as autonomous systems (AS). Each AS is assigned a unique number.
Path Vector Protocol: BGP is a path vector protocol, meaning it maintains the path information that gets updated dynamically as routes are added or removed. This helps in making routing decisions based on path attributes.
Scalability: BGP is designed to handle a large number of routes, making it highly scalable for use on the internet.
Policy-Based Routing: BGP allows network administrators to set policies that can influence routing decisions. For example, administrators can prefer certain routes over others based on specific criteria such as path length or AS path.
Peering: BGP peers are routers that establish a connection to exchange routing information. Peering can be either internal (within the same AS) or external (between different AS).
Route Advertisement: BGP advertises routes along with various attributes such as AS path, next hop, and network prefix. This helps in making informed decisions on the best route to take.
Convergence: BGP can take some time to converge, meaning to stabilize its routing tables after a network change. However, it is designed to be very stable once converged.
Use in Azure: In Azure, BGP is used to facilitate dynamic routing in scenarios like connecting Azure VNets to on-premises networks via VPN gateways. This dynamic routing allows for more resilient and flexible network designs.
Switching from static routing to BGP for your Azure VPN gateway will enable dynamic routing, allowing the Azure network and your on-premises network to exchange routing information automatically, leading to potentially better failover and redundancy.
BGP is the standard routing protocol commonly used in the Internet to exchange routing and reachability information between two or more networks. When used in the context of Azure Virtual Networks, BGP enables the Azure VPN gateways and your on-premises VPN devices, called BGP peers or neighbors, to exchange "routes" that will inform both gateways on the availability and reachability for those prefixes to go through the gateways or routers involved. BGP can also enable transit routing among multiple networks by propagating routes a BGP gateway learns from one BGP peer to all other BGP peers.
Part 1: Configure Azure VPN with BGP enabled
Note: Azure will auto provision a local BGP peer with an IP address from Gateway Subnet. After deployment the configuration will look similar to below. Make a note of Public IP and BGP Peer IP generated, we need this while configuring VPN at remote end.
Local Network Gateway represents the firewall VPN network Configuration where you should provide remote configuration parameters.
Once the VPN Gateway and Local Network Gateway has provisioned you can build connection which represents IPsec and IKE configurations.
Completed the Azure end configuration, now we can move to firewall side.
Part 2: Configure Palo Alto Firewall VPN with BGP enabled
Since we are configuring route-based VPN, tunnel interface is very necessary to route traffic which needed to be encrypted.
By this configuration your tunnel should be UP
Now finish the remaining BGP Configurations
Now we can test the connectivity, we have already configured necessary NAT and default route in Firewall. You can see the propagated route in both azure VPN gateway and Palo Alto firewall.
FW NAT | ||||||
Name | Src Zone |
Dst Zone |
Destination Interface |
Destination Address | Service | NAT Action |
nattovm1 | any | Untrust | any | untrust_inteface_pub_ip | 3389 | DNAT to VM1 IP |
nattovm2 | any | Untrust | any | untrust_interface_pub_ip | 3000 | DNAT to VM2 IP |
natto internet | any | Untrust | ethernet1/1 | default | 0.0.0.0/0 | SNAT to Eth1/1 |
Ping and trace result from Test VM1 to test VM2
BGP simplifies the route advertisement process. There are many more configuration options that we can try in BGP to achieve smooth functioning of routing. BGP also enables automatic redundancy and high availability. Hence, it is always recommended to configure BGP when it comes to production-grade complex networking.