Forum Discussion

LMR's avatar
LMR
Icon for Microsoft rankMicrosoft
Jan 08, 2025

BGP Routing from and to VPN Gateway

Hello All,

 

I am setting up a lab concerning vWAN connection to onprem via SDWAN and I have some issues getting the routing to work properly.

 

I have a hub which symbolizes the on-premises hub with a VPN gateway (gw-onprem) and a VM (on-prem-hubvm) deployed.
Attached to the onprem-hub is

a) on-prem spoke with a VM (on-prem VM).
b) two vnets that symbolize the sdwan. Both of which have a VPN gateway as well as one VM each deployed (gw-sd-1/2)
The SDWan Gateways are connected via s2s to two different vWAN hubs in two different locations. The vWAN has a third Hub which is not directly connected to on-prem

 

What I am trying to lab is what direction the traffic is tacking from the vWAN Hubs to the last on-premise VM. The traffic currently goes all the way through the s2s vpn connection, but it gets dropped afterwards.

I am struggling to set-up the routing from the sd-gw's to the on-premises machine. The routing needs to work through BGP


The goal of the Lab is to see which path to on-premises is preferred if the hub preference is AS Path (shortest BGP Path). 

BGP is enabled on all VPN Gateways
The SD GWs are peered to the onprem Hub GW but no vnet peering. 

The on-premises Vnets are peered.

Somehow the VPN Gateways are not learning the routes to on-premises. I tried pointing the way with UDRs but somehow it also isnt working
I've tried setting up UDRs so that the traffic would be the following

vWAN Hub -> sd GW > sd VM > GW-onprem (> on-prem-hubvm) > on-prem VM

routing
virtual network
virtual wan
vpn gateway
  • Kidd_Ip's avatar
    Kidd_Ip
    MVP
    Jan 09, 2025

    Take this:

     

    1. Verify BGP Configuration:
      • Ensure that BGP is correctly configured on all VPN gateways. Check the BGP peerings and ensure that the AS numbers and IP addresses are correctly set up.
    2. Check Route Propagation:
      • Verify that the routes are being propagated correctly between the vWAN hubs and the on-premises VPN gateways. You can use the Get-AzVirtualNetworkGatewayLearnedRoute and Get-AzVirtualNetworkGatewayAdvertisedRoute cmdlets to check the learned and advertised routes.
    3. Update UDRs (User-Defined Routes):
      • Ensure that the UDRs are correctly pointing to the next hop. For example, the UDRs on the vWAN hub should point to the SDWAN gateways, and the UDRs on the SDWAN gateways should point to the on-premises VPN gateway.
    4. Enable Route Propagation:
      • Make sure that route propagation is enabled on the subnets where the VMs are deployed. This allows the routes learned via BGP to be propagated to the VMs.
    5. Check Network Security Groups (NSGs):
      • Verify that the NSGs are not blocking the traffic. Ensure that the necessary inbound and outbound rules are in place to allow the traffic to flow between the vWAN hubs, SDWAN gateways, and on-premises VMs.
    6. Use Azure Network Watcher:
      • Utilize Azure Network Watcher to diagnose and troubleshoot the network issues. You can use tools like IP flow verify, next hop, and connection troubleshoot to identify where the traffic is being dropped.
    7. Review Routing Policies:
      • Ensure that the routing policies in the vWAN hubs are correctly configured. You can set up routing intent and routing policies to control the traffic flow.

Resources