While finding some VPN troubleshooting I found this discussion. I'm planing to complete a POC for multi cloud VPN tunnels between Azure, AWS and Google Cloud. VPN looks easy to configure without BGP (where APIPA are mentioned). I have a couple of questions may be this group can answer. At each cloud side they ask for ASN and BGP APIPA. How to get those values? Let's say if I'm setting up a VPN between Azure and AWS, then what would be the ASN at each side and what would be the BGP at each end? Also if I peer Azure with Google, again what would be the ASN and APIPA for Azure and Google cloud? I understand that some specific values are reserved for each environment . How to understand without copy and paste from online tutorials?

@Suman Bikram Singh , Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well. I understand that you would like to know about ASN and BGP. Note that Microsoft Q&A platform is used to discuss products and issues related to Azure. ASN and BGP are industry standards which Azure supports. I would suggest you to refer to official IANA documents and RFC for accurate and up to date information on them. With that said, ASN : Autonomous System, simply put, is a large network or group of networks that has a unified routing policy. Each AS is assigned an official number - which we call autonomous system number ASN Every organization reserves certain ASNs for their own Certain ASNs reserved by Azure are Public ASNs: 8074, 8075, 12076 Private ASNs: 65515, 65517, 65518, 65519, 65520 NOTE: You can use one of the above Private ASNs in your VPN Gateway or any one from the range of ASNs defined in Section 5 of RFC (for Private use) When you create a VPN Gateway, you are creating it on a VNET (a Network). And when you assign an ASN to the VPN Gateway, you are actually assigning a ASN to the Network represented by the VPN Gateway BGP : This is a route exchange protocol. Simply put, it enables two AS to share the network address spaces for routing. (Traffic Selectors) From Azure perspective, this automates the role of LNG - where you are explicitly required to share the address space of the connecting party With BGP, you don't have to specify the remote address space manually and in the remote side you don't have to specify the Azure's address range manually. Azure assigns a private IP address from the GatewaySubnet prefix range automatically as the Azure BGP IP address on the VPN gateway. This remote side, talks to this IP Address to learn Azure's route and advertise their routes to Azure. You should be able to see it from the Portal once you enable BGP Similarly, you will be expected to input a IP address from Remote side, to which Azure VPN Gateway can talk to learn Remote's route and advertise Azure's routes to the remote. More information on ASN : https://www.iana.org/assignments/as-numbers/as-numbers.xhtml https://www.rfc-editor.org/rfc/rfc6996.html More information on BGP : https://www.rfc-editor.org/rfc/rfc4271 Kindly let us know if this helps or you need further assistance on this issue. Thanks, Kapil Please don’t forget to close the thread by clicking " Accept the answer " wherever the information provided helps you, as this can be beneficial to other community members.

Multi Cloud Site to Site VPN

Accepted answer

KapilAnanth-MSFT 46,876 Microsoft Employee

@Suman Bikram Singh ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to know about ASN and BGP.

Note that Microsoft Q&A platform is used to discuss products and issues related to Azure. ASN and BGP are industry standards which Azure supports. I would suggest you to refer to official IANA documents and RFC for accurate and up to date information on them.

With that said,

ASN :

Autonomous System, simply put, is a large network or group of networks that has a unified routing policy.
Each AS is assigned an official number - which we call autonomous system number ASN
Every organization reserves certain ASNs for their own
- Certain ASNs reserved by Azure are
  - Public ASNs: 8074, 8075, 12076
  - Private ASNs: 65515, 65517, 65518, 65519, 65520
NOTE: You can use one of the above Private ASNs in your VPN Gateway or any one from the range of ASNs defined in Section 5 of RFC (for Private use)
When you create a VPN Gateway, you are creating it on a VNET (a Network). And when you assign an ASN to the VPN Gateway, you are actually assigning a ASN to the Network represented by the VPN Gateway

BGP :

This is a route exchange protocol. Simply put, it enables two AS to share the network address spaces for routing. (Traffic Selectors)
- From Azure perspective, this automates the role of LNG - where you are explicitly required to share the address space of the connecting party
- With BGP, you don't have to specify the remote address space manually and in the remote side you don't have to specify the Azure's address range manually.
Azure assigns a private IP address from the GatewaySubnet prefix range automatically as the Azure BGP IP address on the VPN gateway.
This remote side, talks to this IP Address to learn Azure's route and advertise their routes to Azure.
- You should be able to see it from the Portal once you enable BGP
Similarly, you will be expected to input a IP address from Remote side, to which Azure VPN Gateway can talk to learn Remote's route and advertise Azure's routes to the remote.

More information on ASN :

More information on BGP :

https://www.rfc-editor.org/rfc/rfc4271

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Suman Bikram Singh 20 Reputation points

2024-10-14T03:39:52.5966667+00:00

Thanks for information. I found this nice document to setup Azure and AWS And if I follow the document it works as expected. Only concern is if I create another VPN site on same gateway with another cloud, VPN and BGP sessions are UP but not able to communicate with second VPN site. I'm using 169.254.21.10 and 169.254.22.14 at Azure side and 169.254.21.9 and 169.254.22.13 at another cloud. This setup enables VPN connection and BGP is also green. But unable to communicate. Is this expected behaviour or my IPs are clashing? Can we create multiple VPN in Azure Virtual WAN? Just to let you know I have 4 links in Azure to AWS as Microsoft document says and trying create another Site to site with Cloud X with 2 links. I'm using Azure Virtual WAN and Virtual hub. It means not creating 4 individual gateways. https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-aws-bgp

Suman Bikram Singh 20

Tunnel	Primary Custom BGP Address	Secondary Custom BGP Address
AWS Tunnel 1 to Azure Instance 0	169.254.21.2	Not used (select 169.254.21.6)
AWS Tunnel 1 to Azure Instance 0	169.254.21.2	Not used (select 169.254.21.6)
AWS Tunnel 2 to Azure Instance 0	169.254.22.2	Not used (select 169.254.21.6)
AWS Tunnel 1 to Azure Instance 1	Not used (select 169.254.21.2)	169.254.21.6
AWS Tunnel 2 to Azure Instance 1	Not used (select 169.254.21.2)	169.254.22.

Suman Bikram Singh 20 Reputation points

2024-10-14T04:06:45.5233333+00:00

What does it say by Not used Select?
KapilAnanth-MSFT 46,876 Reputation points Microsoft Employee

2024-10-14T14:07:31.03+00:00
@Suman Bikram Singh ,

1.Is this expected behaviour or my IPs are clashing?

This is not an expected behavior

You should be able to establish as many connections as the gateway's SKU supports

However, there should not be any clashing with the IP Range of the Address space of the two clouds nor the BGP's Private IP Addresses (yours is fine)

2.Can we create multiple VPN in Azure Virtual WAN?

Yes

When you say the connection status shows as "Connected" and BGP is up

This means the S2S is successfully established

Can you please make sure there are no NSGs or Firewalls blocking the communication between Virtual Machines?

Can you please confirm you created two "Customer gateways" at the vendor side?

i.e., 4 Tunnels

Cheers,

Kapil
Suman Bikram Singh 20 Reputation points

2024-10-15T09:21:52.4966667+00:00
Thanks @KapilAnanth-MSFT This make sense i will give another try to configure with suggested steps.
KapilAnanth-MSFT 46,876 Reputation points Microsoft Employee

2024-10-15T09:28:11.07+00:00

@Suman Bikram Singh , sure.

You are welcome.

Let us know how it goes.
Suman Bikram Singh 20 Reputation points

2024-10-15T13:18:36.4666667+00:00

No. All 6 links up and this time my on premise is able to exchange the route and communication happening but of I follow MS document. All 4 links go up with 0 BGP routes. Any suggestions?
Suman Bikram Singh 20 Reputation points

2024-10-15T13:19:47.12+00:00

Also what I understand is by default BGP 179 port is opened once session is established.
KapilAnanth-MSFT 46,876 Reputation points Microsoft Employee

2024-10-16T04:37:05.3+00:00
@Suman Bikram Singh ,

BGP Port is 179, yes.

You can use the "Check your BGP peers status on Azure" docs and "Monitor site-to-site VPN BGP routes using the BGP dashboard"

Once you are sure no routes are learned/advertised, you should use the logs to identify what is the issue,

See : Site-to-site VPN gateway and Log queries

The steps are same as a regular VNet VPN Gateway

Especially "TunnelDiagnosticLog" and "RouteDiagnosticLog"

Reference : Troubleshoot Azure VPN Gateway using diagnostic logs

Cheers,

Kapil
Suman Bikram Singh 20 Reputation points

2024-10-16T11:05:17.1933333+00:00

Ok I narrowed down the probem and here are my findings. If I Configure Site to Site VPN with AWS as per the official document provided by microsoft it works as expected and BGP routes are published. Now, If I use same Virtual WAN gateway for Site to site VPN with another cloud [Lets say cloud-X] then BGP routes are not advertised in new site to site VPN [Azure to Cloud X]. If I start deleting and delete all Custom Azure APIPA BGP IP address and Second Custom Azure APIPA BGP IP address from Azure Gateway which I added for AWS then my new Site to Site VPN with cloud-X is restored with BGP address. Is this expected behavior?

Custom Azure APIPA BGP IP address

169.254.21.2 [AWS-VPN-1-Tunnel-1]

169.254.22.2 [AWS-VPN-1-Tunnel-2]

169.254.21.10 [Cloud-X-Tunnel-1]

Second Custom Azure APIPA BGP IP address:

169.254.21.6 [AWS-VPN-2-Tunnel-1

169.254.22.6 [AWS-VPN-2-Tunnel-2]

169.254.21.14 [Cloud-X-Tunnel-2]

AWS Side [As per Microsoft Doc]

VPN-1

Inside IPv4 CIDR for Tunnel 1: 169.254.21.0/30

Inside IPv4 CIDR for Tunnel 2: 169.254.22.0/30

VPN-2

Inside IPv4 CIDR for Tunnel 1: 169.254.21.4/30

Inside IPv4 CIDR for Tunnel 2: 169.254.22.4/30

Cloud-X Side

Router BGP-169.254.21.9 [Tunnel-1]

Router BGP-169.254.22.13 [Tunnel-2]

Any solution, how to configure multiple S2S VPN on Virtual-HUB?
Suman Bikram Singh 20 Reputation points

2024-10-16T13:15:11.1866667+00:00

Ok. Its sorted. On AWS site to gateways are not supported using Azure WAN. I deleted one customer gateway and all green.
KapilAnanth-MSFT 46,876 Reputation points Microsoft Employee

2024-10-17T04:50:16.16+00:00

@Suman Bikram Singh ,

Thanks for keeping the thread updated.

Share via

Multi Cloud Site to Site VPN

0 additional answers

Your answer