This chapter covers Border Gateway Protocol (BGP) configuration for Azure VPN Gateways, a critical skill for the AZ-104 exam. BGP enables dynamic route exchange and automatic failover between on-premises networks and Azure, eliminating the need for static routes. Expect 5-10% of exam questions to touch on VPN gateway BGP, including configuration steps, route propagation, and troubleshooting. Understanding BGP is essential for designing highly available hybrid networks.
Jump to a section
Imagine a postal service that delivers mail between two large corporate campuses, Campus A and Campus B. Each campus has its own internal mailroom that knows the layout of its buildings. The postal service doesn't deliver directly; instead, it uses a central hub that connects both campuses. The hub has a routing table—a big book of how to reach every building. But here's the catch: the hub doesn't just forward mail blindly. Each mailroom (campus) advertises its buildings to the hub using special forms called 'route advertisements.' These forms include the building address (network prefix) and a list of 'stops' the mail took to get there (AS path). When Campus A sends a letter to a building in Campus B, the hub checks its book, sees the best path (usually the shortest number of stops), and forwards it. If there are multiple paths with the same number of stops, the hub uses tie-breakers like 'lowest ID number' (MED, Local Preference). The hub also uses a 'keepalive' postcard every 60 seconds to confirm the mailrooms are still alive. If a mailroom stops sending postcards, the hub removes all its routes after 180 seconds (hold timer). This system prevents loops because the hub will never send a letter back to the same mailroom that already forwarded it—it checks the 'stops' list. In Azure VPN Gateway, BGP works similarly: it exchanges routes between on-premises and Azure, using the VPN tunnels as the postal routes. The gateway advertises Azure virtual network prefixes, and on-premises routers advertise their local prefixes. BGP ensures that traffic takes the best path and automatically fails over if a tunnel goes down.
What is BGP and Why Use It?
Border Gateway Protocol (BGP) is the de facto internet routing protocol (RFC 4271) used to exchange routing information between autonomous systems (AS). In Azure VPN Gateway, BGP allows dynamic exchange of routes between your on-premises network and Azure virtual networks. Without BGP, you must manually configure static routes for each network prefix, which doesn't scale and cannot automatically adapt to network changes or failures.
BGP provides several benefits: - Automatic route propagation: When you add or remove subnets in Azure, BGP automatically advertises the changes to on-premises routers. - Redundancy and failover: With multiple VPN tunnels, BGP can detect path failures via keepalive timers and switch traffic to an alternate path. - Route selection: BGP applies policies (e.g., local preference, AS path prepend) to influence which path traffic takes. - Loop prevention: BGP includes AS path information to prevent routing loops.
How BGP Works with Azure VPN Gateway
Azure VPN Gateway supports BGP for both site-to-site (S2S) and VNet-to-VNet connections. When you enable BGP, the VPN gateway becomes a BGP router. It establishes a BGP peering session with your on-premises VPN device over the IPsec tunnel. The BGP peering uses TCP port 179.
Key components: - Autonomous System Number (ASN): Azure VPN Gateway requires a unique ASN for each BGP peer. Azure uses a default ASN of 65515 for its VPN gateways, but you can assign a custom ASN (public or private) for your on-premises router. - BGP peer IP address: This is the IP address of the VPN gateway's BGP endpoint. For active-active gateways, each instance has its own BGP peer IP. - BGP peering: The VPN gateway and on-premises router exchange route information. The gateway advertises the VNet address space and any routes from connected ExpressRoute or other VPN connections. - Route propagation: BGP routes are propagated to the VNet's route table. You can see them in the effective routes for a network interface.
BGP Configuration Steps
1. Create a VPN gateway with BGP enabled: When creating the gateway, set the -EnableBgp parameter to $true.
$gw = New-AzVirtualNetworkGateway -Name 'VNet1GW' -ResourceGroupName 'RG1' `
-Location 'EastUS' -IpConfigurations $ipconfig `
-GatewayType Vpn -VpnType RouteBased -GatewaySku VpnGw1 `
-EnableBgp $true -Asn 65515Note: BGP is only supported on RouteBased VPN gateways. PolicyBased gateways do not support BGP.
2. Configure local network gateway with BGP settings: The local network gateway represents your on-premises network. You must specify the on-premises BGP peer IP and ASN.
$local = New-AzLocalNetworkGateway -Name 'OnPremGW' -ResourceGroupName 'RG1' `
-Location 'EastUS' -GatewayIpAddress '203.0.113.1' `
-AddressPrefix @('10.0.0.0/16') `
-Asn 65001 -BgpPeeringAddress '10.0.0.254' Note: The -AddressPrefix parameter is optional when using BGP because routes are exchanged dynamically. However, it's recommended to include the on-premises address space for initial routing.
3. Create a connection with BGP enabled: The connection between the VPN gateway and local network gateway must have BGP enabled.
New-AzVirtualNetworkGatewayConnection -Name 'S2SConnection' -ResourceGroupName 'RG1' `
-VirtualNetworkGateway1 $gw -LocalNetworkGateway2 $local `
-ConnectionType IPsec -SharedKey 'abc123' -EnableBgp $trueBGP Timers and Defaults
Keepalive interval: 60 seconds (default). The router sends keepalive messages every 60 seconds to maintain the BGP session.
Hold timer: 180 seconds (default). If no keepalive or update is received within 180 seconds, the session is considered dead.
Route advertisement interval: 30 seconds for eBGP peers (default). Routes are advertised every 30 seconds to reduce churn.
Azure VPN Gateway uses these defaults. You can modify the hold timer on the on-premises router, but Azure does not allow changing it on the gateway side.
BGP Path Selection
When multiple paths exist to the same destination, BGP uses a multi-step decision process. The most important attributes for exam purposes:
Highest Weight (Cisco proprietary, not used in Azure)
Highest Local Preference: Default is 100. Higher value preferred. Azure does not set local preference by default.
Originate locally: Routes originated by the local router are preferred over learned routes.
Shortest AS path: The path with the fewest AS numbers in the AS_SEQUENCE is preferred.
Lowest origin type: IGP < EGP < incomplete.
Lowest MED (Multi-Exit Discriminator): Default is 0. Lower value preferred. MED is used when multiple entry points exist into the same AS.
eBGP over iBGP: eBGP routes are preferred over iBGP.
Lowest IGP metric to the next hop: The metric to reach the BGP next hop.
In Azure, you can influence path selection using AS path prepending (adding AS numbers to make the path longer) or by setting MED on routes advertised from on-premises.
BGP and Route Propagation
When BGP is enabled on a VPN gateway, the gateway automatically propagates BGP-learned routes to the VNet's route tables. You can see these routes in the Azure portal under 'Virtual network gateway' -> 'BGP peers' -> 'Routes'. The routes appear as 'BGP' source in effective routes.
Important: BGP routes are not automatically propagated to peered VNets unless you enable 'Allow gateway transit' on the peered VNet gateway. Even then, only static routes and BGP routes from the VPN gateway are propagated; routes from ExpressRoute are not propagated over VPN (unless using a gateway transit scenario).
BGP with Active-Active VPN Gateways
An active-active VPN gateway has two instances, each with its own public IP and BGP peer IP. This provides high availability. When configuring BGP, you must:
Create two local network gateways (one for each on-premises VPN device) or use a single local network gateway with two BGP peers (if the on-premises device supports multiple BGP sessions).
Create two connections, each from a different gateway instance to the on-premises device.
Each BGP session is independent; if one fails, traffic continues over the other.
BGP and ExpressRoute
Azure VPN Gateway can coexist with ExpressRoute in the same VNet. BGP is used for both, but they are separate routing domains. By default, Azure prefers ExpressRoute over VPN for the same prefix. This is enforced by assigning a lower local preference to VPN routes (100) compared to ExpressRoute (not set, default 100 but ExpressRoute routes are considered 'direct' and take precedence). You can override this using BGP communities or custom route tables.
Verification Commands
To check BGP status from Azure side:
# Get BGP peer status
Get-AzVirtualNetworkGatewayBGPPeerStatus -VirtualNetworkGatewayName 'VNet1GW' -ResourceGroupName 'RG1'
# Get BGP learned routes
Get-AzVirtualNetworkGatewayLearnedRoutes -VirtualNetworkGatewayName 'VNet1GW' -ResourceGroupName 'RG1'
# Get BGP advertised routes
Get-AzVirtualNetworkGatewayAdvertisedRoutes -VirtualNetworkGatewayName 'VNet1GW' -ResourceGroupName 'RG1' -Peer '10.0.0.254'From Azure portal, you can view BGP status under the VPN gateway's 'BGP peers' blade.
Troubleshooting BGP Issues
Common BGP issues: - BGP session not establishing: Check that the on-premises VPN device has the correct BGP peer IP (the gateway's BGP IP, not the public IP). Also ensure firewall allows TCP 179. - Routes not propagating: Verify that BGP is enabled on both the gateway and the connection. Check that the on-premises router is advertising the correct prefixes. - Route flapping: Frequent route updates can cause instability. Check for inconsistent network configurations or timers. - ASN mismatch: The on-premises ASN must match what is configured in the local network gateway.
BGP with VNet-to-VNet Connections
VNet-to-VNet connections can also use BGP. Each VNet's gateway must have BGP enabled and use unique ASNs (private ASNs are fine). The BGP peering works similarly to S2S, but over Microsoft's backbone instead of the internet.
BGP Communities
Azure supports BGP communities (RFC 1997) to tag routes. For example, ExpressRoute uses community values to indicate the region. VPN Gateway does not support custom community configuration, but it respects communities received from on-premises.
Summary of Key Points for Exam
BGP is only supported on RouteBased VPN gateways.
Default ASN for Azure VPN Gateway is 65515.
BGP uses TCP port 179.
Keepalive interval: 60s; Hold timer: 180s.
BGP routes are automatically propagated to the VNet route table.
Active-active gateways require two BGP sessions.
You can influence path selection with AS path prepending or MED.
BGP must be enabled on the gateway, local network gateway, and the connection.
Create VPN Gateway with BGP
When you create a RouteBased VPN gateway, you must enable BGP by setting the `-EnableBgp` parameter to `$true` and specifying an ASN. The ASN can be the default 65515 or a custom private ASN (64512-65534) or public ASN. The gateway's BGP peer IP is automatically assigned from the gateway subnet. For active-active gateways, each instance gets a unique BGP peer IP. The BGP peer IP is not the same as the public IP; it's a private IP from the gateway subnet.
Configure Local Network Gateway with BGP
The local network gateway must include the on-premises BGP peer IP address and ASN. The BGP peer IP is typically a private IP on the on-premises VPN device's internal interface. The address prefix list is optional but recommended for initial routing. If you omit it, the connection may still work because BGP advertises routes dynamically, but Azure needs at least one prefix to create the connection. The on-premises ASN must be unique and match the router's configuration.
Create Connection with BGP Enabled
The connection between the VPN gateway and local network gateway must have BGP enabled using the `-EnableBgp` parameter. The connection uses IPsec as the tunnel protocol. BGP runs over the IPsec tunnel after it is established. The shared key is used for IPsec authentication, not for BGP. BGP authentication can be added separately (e.g., MD5 password) but is not required for basic operation.
Verify BGP Session Establishment
After the connection is established, the BGP session should come up within a few seconds. Use `Get-AzVirtualNetworkGatewayBGPPeerStatus` to check the status. The state should be 'Connected'. The session uses TCP port 179. If the session does not establish, check that the on-premises router can reach the gateway's BGP IP (not public IP) over the tunnel. Also verify that the AS numbers match and that the hold timer is consistent (default 180s).
Verify Route Exchange
Use `Get-AzVirtualNetworkGatewayLearnedRoutes` to see routes learned from on-premises via BGP. Use `Get-AzVirtualNetworkGatewayAdvertisedRoutes` to see routes the gateway is advertising to the on-premises peer. The gateway advertises the VNet address space and any routes from other connections (e.g., ExpressRoute or other VPNs) if 'Use Remote Gateway' is configured. Verify that the on-premises router receives the Azure routes and that Azure receives the on-premises routes.
Scenario 1: Multi-Site Hybrid Network with Redundancy
A global enterprise has headquarters in New York and a disaster recovery site in Chicago. They want to connect both sites to Azure East US and Azure West US using two VPN gateways. Each on-premises site has two VPN devices (active-active). BGP is configured on each VPN gateway with ASN 65515. On-premises routers use ASN 65001 for NY and 65002 for Chicago. Each on-premises router establishes a BGP session with both Azure gateways. BGP advertises the on-premises prefixes (e.g., 10.1.0.0/16 for NY, 10.2.0.0/16 for Chicago). Azure advertises VNet prefixes. If the primary tunnel from NY to East US fails, BGP automatically withdraws the routes, and traffic goes through the secondary tunnel to West US. To prefer the local Azure region, on-premises routers use AS path prepending on the backup path (e.g., prepend AS 65001 twice to make the path longer). This ensures traffic uses the shortest AS path. Common misconfiguration: forgetting to enable BGP on the connection itself, which results in no BGP session even if the gateway is BGP-enabled.
Scenario 2: ExpressRoute and VPN Backup
A company uses ExpressRoute for primary connectivity to Azure. They set up a VPN gateway as a backup. BGP is used on both connections. The ExpressRoute circuit advertises the same on-premises prefixes as the VPN. Azure prefers ExpressRoute over VPN because ExpressRoute routes are considered 'direct' (lower administrative distance). However, BGP local preference can be used to override this. In production, the network engineer configures the VPN gateway to prepend its AS number multiple times to ensure that VPN routes have a longer AS path, making ExpressRoute preferred. If ExpressRoute fails, BGP withdraws those routes, and the VPN routes become active. The failover time is determined by BGP timers (hold timer 180s) or BFD (if configured on ExpressRoute). A common mistake is assuming that Azure automatically fails over between ExpressRoute and VPN without BGP path selection tuning.
Scenario 3: VNet Peering with Gateway Transit
An organization has a hub VNet with a VPN gateway and multiple spoke VNets peered to the hub. The spoke VNets need to communicate with on-premises networks. The hub VPN gateway has BGP enabled. On-premises routes are propagated to the hub VNet route table. For spoke VNets to receive these routes, the peering must have 'Allow gateway transit' enabled on the hub side and 'Use remote gateway' on the spoke side. BGP routes are then propagated to the spoke VNets. However, spoke VNets cannot advertise their own routes to on-premises via the hub gateway unless they use a VPN gateway in the spoke. The exam tests this limitation: gateway transit only propagates routes from the hub gateway to spokes, not the other way around.
What AZ-104 Tests
AZ-104 objective 4.4 'Configure virtual network peering' includes BGP configuration for VPN gateways. Specific sub-objectives: 'Configure BGP for VPN gateways', 'Verify BGP status', 'Troubleshoot BGP issues'. Expect 1-2 questions directly on BGP configuration steps, and 2-3 questions on route propagation and path selection.
Common Wrong Answers
'BGP is supported on PolicyBased VPN gateways' – WRONG. BGP is only supported on RouteBased VPN gateways. PolicyBased gateways use static routes and do not support dynamic routing.
'The BGP peer IP is the public IP of the VPN gateway' – WRONG. The BGP peer IP is a private IP from the gateway subnet, not the public IP. The public IP is used for IPsec tunnel establishment.
'BGP must be enabled on the connection only, not the gateway' – WRONG. BGP must be enabled on the gateway, the local network gateway, and the connection. Missing any one of these will prevent BGP from working.
'BGP routes are automatically propagated to peered VNets' – WRONG. By default, BGP routes are not propagated to peered VNets. You must enable 'Allow gateway transit' on the hub and 'Use remote gateway' on the spoke.
Numbers and Values to Memorize
Default ASN for Azure VPN Gateway: 65515
BGP TCP port: 179
Keepalive interval: 60 seconds
Hold timer: 180 seconds
BGP is only for RouteBased gateways (not PolicyBased)
Private ASN range: 64512-65534
Edge Cases
Active-active gateways: Each instance has its own BGP peer IP. You must configure two BGP sessions, one for each instance. If you only configure one, only that instance is used.
BGP with VNet-to-VNet: Each VNet gateway must have a unique ASN. You cannot use the same ASN for both.
BGP over ExpressRoute: VPN and ExpressRoute can coexist. Azure prefers ExpressRoute by default due to lower administrative distance. You can influence this with AS path prepending.
Route propagation from VPN to ExpressRoute: Not possible directly. They are separate routing domains.
How to Eliminate Wrong Answers
If a question asks about BGP configuration, look for keywords: 'RouteBased', 'EnableBgp', 'ASN'. If the answer mentions PolicyBased, eliminate it. If it says 'public IP' for BGP peer, eliminate it. If it says 'BGP is enabled only on the connection', eliminate it. For route propagation questions, remember that BGP routes are only propagated to peered VNets if gateway transit is enabled. The exam loves to test this nuance.
BGP is only supported on RouteBased VPN gateways, not PolicyBased.
Default ASN for Azure VPN Gateway is 65515.
BGP uses TCP port 179; keepalive interval 60s, hold timer 180s.
BGP must be enabled on the gateway, local network gateway, and connection.
BGP peer IP is a private IP from the gateway subnet, not the public IP.
Active-active gateways require two BGP sessions (one per instance).
BGP routes are not automatically propagated to peered VNets; use gateway transit.
Azure prefers ExpressRoute over VPN for same prefix by default.
AS path prepending can influence route selection (longer path = less preferred).
BGP is used for both site-to-site and VNet-to-VNet connections.
These come up on the exam all the time. Here's how to tell them apart.
BGP on VPN Gateway
Dynamically exchanges routes with on-premises routers
Automatically adapts to network changes (add/remove subnets)
Supports automatic failover via BGP timers
Requires BGP configuration on gateway, local gateway, and connection
Scales well for large networks with many prefixes
Static Routes on VPN Gateway
Requires manual configuration of all routes
Does not adapt to changes; must update routes manually
No automatic failover; requires manual intervention or separate monitoring
Simpler to configure for small networks with few prefixes
Does not scale; management overhead increases with network size
Mistake
BGP can be used with PolicyBased VPN gateways.
Correct
BGP is only supported on RouteBased VPN gateways. PolicyBased gateways use static routes and do not support dynamic routing protocols like BGP.
Mistake
The BGP peer IP address is the public IP of the VPN gateway.
Correct
The BGP peer IP is a private IP address from the gateway subnet. The public IP is used for the IPsec tunnel, not for BGP peering. The on-premises router must reach this private IP over the tunnel.
Mistake
Enabling BGP on the gateway automatically enables it on all connections.
Correct
BGP must be enabled separately on the gateway, the local network gateway, and the connection. Missing any one of these will prevent BGP from working.
Mistake
BGP routes are automatically propagated to all peered VNets.
Correct
By default, BGP routes are not propagated to peered VNets. You must enable 'Allow gateway transit' on the hub VNet's gateway and 'Use remote gateway' on the spoke VNet's peering.
Mistake
BGP session uses UDP port 179.
Correct
BGP uses TCP port 179. It requires a reliable transport for route updates.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes. BGP must be enabled on the VPN gateway when it is created (using -EnableBgp $true), on the local network gateway (specifying ASN and BGP peer IP), and on the connection (using -EnableBgp $true). If any of these is missing, BGP will not work. The exam often tests that all three components need BGP enabled.
The default ASN is 65515. You can change it to a custom private ASN (64512-65534) or a public ASN if needed. For VNet-to-VNet connections, each gateway must have a unique ASN.
No. BGP is only supported on RouteBased VPN gateways. PolicyBased gateways use static routes and do not support dynamic routing protocols. This is a common exam trap.
Use the PowerShell cmdlet `Get-AzVirtualNetworkGatewayBGPPeerStatus` to see the BGP peer status. You can also use `Get-AzVirtualNetworkGatewayLearnedRoutes` and `Get-AzVirtualNetworkGatewayAdvertisedRoutes` to view routes. In the portal, go to the VPN gateway blade and select 'BGP peers'.
If no keepalive or update is received within the hold timer (default 180 seconds), the BGP session is considered dead. The router removes all routes learned from that peer and may send a notification. The session must be re-established.
Yes, but only if you enable 'Allow gateway transit' on the hub VNet's gateway and 'Use remote gateway' on the spoke VNet's peering. Without these, BGP routes are not propagated to peered VNets.
Azure prefers ExpressRoute routes over VPN routes for the same prefix because ExpressRoute is considered a direct connection with lower administrative distance. You can influence this using AS path prepending on the VPN to make its path longer.
You've just covered VPN Gateway BGP Configuration — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?