S2S VPN Between Azure VPN Gateway and On Prem Firewall (BGP) - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Saturday, October 1, 2022

S2S VPN Between Azure VPN Gateway and On Prem Firewall (BGP)

Azure VPN gateways provide cross-premises connectivity between customer premises and Azure. This post is to record some configurations during setup.

High level steps:
  1. Create a virtual network
  2. Create a VPN gateway
  3. Create a local network gateway
  4. Create a VPN connection
  5. Verify the connection


The following cross-premises virtual network gateway connections are supported:
  • Site-to-site: VPN connection over IPsec (IKE v1 and IKE v2). This type of connection requires a VPN device or RRAS. For more information, see Site-to-site.
  • Point-to-site: VPN connection over SSTP (Secure Socket Tunneling Protocol) or IKE v2. This connection doesn't require a VPN device. For more information, see Point-to-site.
  • VNet-to-VNet: This type of connection is the same as a site-to-site configuration. VNet to VNet is a VPN connection over IPsec (IKE v1 and IKE v2). It doesn't require a VPN device. For more information, see VNet-to-VNet.
  • Multi-Site: This is a variation of a site-to-site configuration that allows you to connect multiple on-premises sites to a virtual network. For more information, see Multi-Site.
  • ExpressRoute: ExpressRoute is a private connection to Azure from your WAN, not a VPN connection over the public Internet. For more information, see the ExpressRoute Technical Overview and the ExpressRoute FAQ.


  • An Azure account with an active subscription. If you don't have one, create one for free.
  • Make sure you have a compatible VPN device and someone who is able to configure it. For more information about compatible VPN devices and device configuration, see About VPN Devices.
  • Verify that you have an externally facing public IPv4 address for your VPN device.
  • If you're unfamiliar with the IP address ranges located in your on-premises network configuration, you need to coordinate with someone who can provide those details for you. When you create this configuration, you must specify the IP address range prefixes that Azure will route to your on-premises location. None of the subnets of your on-premises network can over lap with the virtual network subnets that you want to connect to.


1. Create a virtual network (VNet)

2. Create a VPN gateway

The virtual network gateway uses specific subnet called the gateway subnet. The gateway subnet is part of the virtual network IP address range that you specify when configuring your virtual network. It contains the IP addresses that the virtual network gateway resources and services use.

When you create the gateway subnet, you specify the number of IP addresses that the subnet contains. The number of IP addresses needed depends on the VPN gateway configuration that you want to create. Some configurations require more IP addresses than others. We recommend that you create a gateway subnet that uses a /27 or /28.

3. Create a local network gateway

The local network gateway is a specific object that represents your on-premises location (the site) for routing purposes. You give the site a name by which Azure can refer to it, then specify the IP address of the on-premises VPN device to which you'll create a connection. You also specify the IP address prefixes that will be routed through the VPN gateway to the VPN device. The address prefixes you specify are the prefixes located on your on-premises network. If your on-premises network changes or you need to change the public IP address for the VPN device, you can easily update the values later.

Note: If BGP is enabled, no address space is required.

4. Configure your VPN device

Site-to-site connections to an on-premises network require a VPN device. In this step, you configure your VPN device. When configuring your VPN device, you need the following values:

  • A shared key. This is the same shared key that you specify when creating your site-to-site VPN connection. In our examples, we use a basic shared key. We recommend that you generate a more complex key to use.
  • The Public IP address of your virtual network gateway. You can view the public IP address by using the Azure portal, PowerShell, or CLI. To find the Public IP address of your VPN gateway using the Azure portal, go to Virtual network gateways, then select the name of your gateway.

To download VPN device configuration scripts:

Depending on the VPN device that you have, you may be able to download a VPN device configuration script. For more information, see Download VPN device configuration scripts.

5. Create VPN connections

Create a site-to-site VPN connection between your virtual network gateway and your on-premises VPN device.

6. Verify the VPN connection

In the Azure portal, you can view the connection status of a VPN gateway by navigating to the connection. The following steps show one way to navigate to your connection and verify.

  1. In the Azure portal menu, select All resources or search for and select All resources from any page.
  2. Select to your virtual network gateway.
  3. On the blade for your virtual network gateway, click Connections. You can see the status of each connection.
  4. Click the name of the connection that you want to verify to open Essentials. In Essentials, you can view more information about your connection. The Status is 'Succeeded' and 'Connected' when you have made a successful connection.


If you're having trouble connecting to a virtual machine over your VPN connection, check the following:

  • Verify that your VPN connection is successful.

  • Verify that you're connecting to the private IP address for the VM.

  • If you can connect to the VM using the private IP address, but not the computer name, verify that you have configured DNS properly. For more information about how name resolution works for VMs, see Name Resolution for VMs.

  • For more information about RDP connections, see Troubleshoot Remote Desktop connections to a VM.

S2S configurations can be customized in a variety of ways. For more information, see the following articles:

BGP Configuration for Azure VPN Gateway

You can mix both BGP and non-BGP connections for the same Azure VPN gateway.
First you can use your VPN Gateway for both connections: BGP and Non-BGP. https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#can-i-mix-bgp-with-non-bgp-connections-for-my-azure-vpn-gateways
Now, If you use BGP for a connection, leave the Address space field empty for the corresponding local network gateway resource. Azure VPN Gateway adds a host route internally to the on-premises BGP peer IP over the IPsec tunnel.


Important configuration considerations

  • The ASN and the BGP peer IP address must match your on-premises VPN router configuration.
  • You can leave the Address space empty only if you're using BGP to connect to this network. Azure VPN gateway will internally add a route of your BGP peer IP address to the corresponding IPsec tunnel. If you're NOT using BGP between the VPN gateway and this particular network, you must provide a list of valid address prefixes for the Address space.
  • You can optionally use an APIPA IP address (169.254.x.x) as your on-premises BGP peer IP if needed. But you'll also need to specify an APIPA IP address as described earlier in this article for your VPN gateway, otherwise the BGP session can't establish for this connection.
    • The custom Azure APIPA BGP address is needed when your on premises VPN devices use an APIPA address ( to as the BGP IP. VPN Gateway will choose the custom APIPA address if the corresponding local network gateway resource (on-premises network) has an APIPA address as the BGP peer IP. If the local network gateway uses a regular IP address (not APIPA), VPN Gateway will revert to the private IP address from the GatewaySubnet range.
  • You can enter the BGP configuration information during the creation of the local network gateway, or you can add or change BGP configuration from the Configuration page of the local network gateway resource.

Virtual Network Gateway configure BGP

1. Create TestVNet1 for Azure VPN Gateway

Diagram showing settings for the virtual network gateway.

Virtual network example values:

  • Resource Group: TestRG1
  • VNet: TestVNet1
  • Location/Region: EastUS
  • Address space:,
  • Subnets:
    • FrontEnd:
    • BackEnd:
    • GatewaySubnet:

2. Create TestVNet1's VPN Gateway with BGP
  • Instance Details:

    • Name: VNet1GW
    • Region: EastUS
    • Gateway type: VPN
    • VPN type: Route-based
    • SKU: VpnGW1 or higher
    • Generation: select a generation
    • Virtual network: TestVNet1
  • Public IP address

    • Public IP address Type: Basic or Standard
    • Public IP address: Create new
    • Public IP address name: VNet1GWIP
    • Enable active-active: Disabled
    • Configure BGP: Enabled

3. Enable BGP for the Azure VPN Gateway:

  • Enter ASN # (Autonomous System Number): Default is 65515. It should be different from your BGP peer's ASN #. 
Azure virtual network gateways are assigned a default ASN of 65515. Note that a BGP-enabled connection between two network gateways requires that their ASNs be different.
  • BGP peer IP address: In this example, the GatewaySubnet is By default, Azure assigns a last private IP address from the GatewaySubnet prefix range automatically as the Azure BGP IP address on the VPN gateway.
    • This address is needed to configure your on-premises or your peer VPN device to establish BGP session with your Azure VPN gateway.

Create Local Network Gateway for your cross-premises S2S connections

To establish a cross-premises connection, you need to create a local network gateway to represent your on-premises (Peer) VPN device, and a connection to connect the Azure VPN gateway with the local network gateway.

Example Topology:
Diagram showing IPsec configuration.

Here are sample configuraiton based on above topology:
  • Name: Site5
  • IP address: The public IP address of your local gateway, which is the IP address of the on-premises gateway endpoint you want your Azure VPN gateway to connect to. Example:
  • Address spaces: If BGP is enabled, no address space is required.
  • Configure BGP settings: Yes
  • Autonomous system number (ASN): 65050
  • BGP peer IP address: The address of the on-premise VPN Device. Example: (in the following example screenshot) or (in the above example topology)

To Configure BGP on Cross-Premises S2S Connections:

Make sure selecting Enable BGP to enable BGP on this connection.

Configure Authentication Type : Pre-Shared Key (PSK)

On-premises device example configuration

For following example Topology:
Diagram showing IPsec configuration.

  • Site5 ASN            : 65050
  • Site5 BGP IP         :
  • Site5 Prefixes to announce : (for example)
  • Azure VNet ASN       : 65010
  • Azure VNet BGP IP    :  (ip from
  • Static route         : Add a route for, with nexthop being the VPN tunnel interface on your on-premises VPN device
  • eBGP Multihop        : Ensure the "multihop" option for eBGP is enabled on your device if needed

S2S BGP Example (P2S Network included) - Azure Side


Azure VPN GW Configuraiton:

BGP ASN: 65515
BGP Peer IP:

Remote Office VPN Gateway Configuration (Local Network gateway)

Local Network Gateway - Office
Define public ip and network address spaces. Forgot why I added that /32 ip. 

S2S Connection

Enabled BGP and use custom traffic selectors:

During create S2S connection, you have an option to use IKEv1 or IKEv2, and if enable BGP.
If you choose IKEv2,  you can customize IKE/IPSEC Policy. You also can choose if use policy based traffic selector:

If you choose use IKEv1, much less option we can choose:

P2S Configuration: 

Network for P2S remote clients -


BGP Peers 


BGP on VTI interface - overlapping address space. 
That is because local network gateway defined a BGP peer ip address which is overlapping with your GatewaySubnet. The Peer is using VTI interface as BGP ip. This VTI interface will has to be in same subnet with Azure VPN gateway's BGP ip. 

For example, our Azure GatewaySubnet is 10.254.1.x/24, And automatically Azure VPN gateway's BGP peer IP address is set to  

虚拟网络网关连接 /subscriptions/6276-------e/resourceGroups/SUT/providers/Microsoft.Network/connections/Verion-Eules 具有重叠地址空间。重叠地址空间前缀是

Local Network Gateway had to set BGP Peer IP as based on Peer's requirement (Verion). Then when you try to create IPSec connection using Azure VPN Gateway, this error shows up.  

The solution should be simple, which is to Using Azure Private IP Address, But it will require AZ SKUs. 
Checking this option allows you to use Azure private IPs to establish an IPsec VPN connection. Support for private IPs must be set on the VPN gateway for this option to work. It is only supported on AZ SKUs

In this case, using FortiGate to create a new VPN gateway will be a choice. 

No comments:

Post a Comment