Share via

BGP and Vnet Peering

Handian Sudianto 6,001 Reputation points
2025-04-22T06:15:24.5233333+00:00

I have 2 vnet and both vnet have peering, so vnet1 can talk to vnet2.

Also i have vpn gateway on vnet1 and from my onprem can reach to vnet1 and also to vnet2.

But when i enable BGP on the VPN gateway why from onprem only can reach to vnet1 and not to vnet2?

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,726 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Luis Arias 8,601 Reputation points Moderator
    2025-04-22T08:19:31.51+00:00

    Hello Handian,

    Welcome to Q&A, I uderstand that you can't reach vNet2 from on-premises without BGP enabled, but when BGP is enabled, vNet2 becomes unreachable?

    User's image

    When BGP is disabled, your VPN Gateway likely uses static routing to reach vNet1 and vNet2. In this case, the static routes enable communication between your on-premises network and both VNets, even if the peered VNets (vNet1 and vNet2) don't propagate routes dynamically. Static routes don't rely on BGP advertisements for connectivity.

    However, when BGP is enabled, the VPN Gateway switches to dynamic routing. It advertises only the routes to directly connected networks (like vNet1) to your on-premises network. Routes to peered VNets (like vNet2) are not automatically propagated through the VPN Gateway, which causes vNet2 to become unreachable from on-premises.

    I do think you can fix the issue if you include vNet2's routes in the BGP advertisements to your on-premises network:

    • Enable "Allow Gateway Transit" in vNet2's peering configuration.
    • Enable "Use Remote Gateways" in vNet1's peering configuration.
    • Confirm that your on-premises BGP router is correctly handling and adding the routes for vNet2.

    Let me know your findings.

    References:

    If the information helped address your question, please Accept the answer.

    Luis

  2. Sai Prasanna Sinde 5,635 Reputation points Microsoft External Staff Moderator
    2025-04-23T03:30:50.3933333+00:00

    Hi @Handian Sudianto

    Adding to Luis Arias,

    • Go to the VNet Peering configuration for VNet1 > VNet2. Ensure "Allow gateway transit" is checked and go to the VNet Peering configuration for VNet2 > VNet1. Ensure "Use remote gateways" is checked. Please re-verify them, sometimes updates can reset settings.
    • Go to you Virtual Network Gateway, under monitoring, select BGP Peers and verify that the BGP peering session with your on-premises router is Connected. If not, troubleshoot the BGP configuration.
    • On the same BGP Peers page in the Azure portal, select your on-premises peer and click on get advertised routes and check if the address prefixes for VNet2 are listed. If they are missing, Azure is not advertising them via BGP. 
    • Log in to your on-premises BGP router and use the appropriate command for your vendor to see the routes being learned from the Azure VPN Gateway's BGP peer IP and confirm if the VNet2 address prefix is present in this list. If it's missing, but was present in the advertised routes in Azure, then there might be an issue with the BGP session itself.

    Kindly let us know if the above helps or you need further assistance on this issue.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.