Connect Ubiquiti USG to Azure VWAN Gateway using BGP

In this blog post, I’m going to be sharing my knowledge that I gathered during a lab setup. Last weekend, I was playing with Ubiquiti USG BGP features and was wondering If I could establish BGP peering with my Azure VPN Gateway. This way, it could dynamically exchange routes between my home network and Azure. I typically have a hybrid networking configured between my home network and Azure. My Azure network is very dynamic, I create new VNETs and delete VNETs very often. Managing static routes in my home router and IP Sec tunnels in each setup has been very cumbersome. Therefore, my curious mind was always looking for a smarter way to do this. If you are in this same boat, join with me.

In summary, BGP peering’s can be established between the Ubiquity USG and the Azure Gateway enabled with BGP. In this blog post, I’m focusing more on the USG configuration and assume that you can setup the rest of the environment by yourself. To explain how this can be setup, I’m going to use my lab as an example. Following is a diagram of my setup.

Lab Setup Diagram

Following are the key properties of the setup that you need to be aware.

Home Network
IP Addressing used in the Home network – 10.1.1.0/24
Static Public IP on the USG – 113.76.252.224
BGP Peering IP on the USG – 10.1.1.1

Azure Network – VWAN
VPN Gateway Public IP – 21.52.125.78
Azure Gateway Peering IP – 10.0.1.14
VWAN Hub IP Address space – 10.0.1.0/24
VNET IP Address Space – 10.10.0.0/16

Note that in Azure I have used Azure VWAN for hub and spoke topology. To learn more about Azure VWAN click here. Azure VWAN Hub can have VPN Gateways. I assume that you have setup the Azure Networking piece beforehand, and I’m not going to be covering that piece in this article. You can refer to this article if you need some guidance on the VWAN hub and the VPN gateway setup. By default, it creates two VPN gateway instances. See below screenshot which displays the properties of the two gateways.

VWAN Gateway instances

In this case I have used only one gateway instance as my home network has only one gateway.

Now you have all the details required for the VPN to setup. Let’s look at how to configure the USG. Unfortunately, USG configuration can’t be done via the GUI. You will need to use the advance configuration file config.gateway.json. For more details about the advanced configuration file visit this documentation.
This file is in the cloud key and the location is explained in the documentation. In my case it is - /srv/unifi/data/sites/. If you are editing this for the first time, you will need to create the file. This needs to be a valid JSON file, therefore, be careful and always validate when editing this file.
Add the following configuration to the file. Replace you public and local IP in here with your respective IPs. Save the configuration and do a force provision from the Cloud Key.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
{
"system": {
"static-host-mapping": {
"host-name": {
"test1.snmnest.local": {
"alias": [
"lab"
],
"inet": [
"10.1.1.13"
]
}
}
}
},
"interfaces": {
"vti": {
"vti0": {
"mtu": "1436"
}
}
},
"firewall": {
"options": {
"mss-clamp": {
"interface-type": [
"pppoe",
"pptp",
"vti"
],
"mss": "1350"
}
}
},
"protocols": {
"bgp": {
"65510": {
"neighbor": {
"10.0.1.14": {
"ebgp-multihop": "4",
"prefix-list": {
"export": "BGP",
"import": "BGP"
},
"remote-as": "65515",
"soft-reconfiguration": {
"inbound": "''"
},
"update-source": "10.1.1.1"
}
},
"network": {
"10.1.1.0/24": "''"
},
"timers": {
"holdtime": "180",
"keepalive": "60"
}
}
},
"static": {
"interface-route": {
"10.0.1.14/32": {
"next-hop-interface": {
"vti0": "''"
}
}
}
}
},
"policy": {
"prefix-list": {
"BGP": {
"rule": {
"10": {
"action": "deny",
"description": "deny-localgw",
"prefix": "113.76.252.224/32"
},
"100": {
"action": "permit",
"description": "permit-localsubnet",
"prefix": "10.1.1.0/24"
},
"110": {
"action": "permit",
"description": "permit-remotesubnet",
"ge": "16",
"prefix": "10.0.0.0/8"
},
"20": {
"action": "deny",
"description": "deny-remotegw",
"prefix": "21.52.125.78/32"
},
"30": {
"action": "deny",
"description": "deny-localpeer",
"prefix": "10.1.1.1/32"
},
"40": {
"action": "deny",
"description": "deny-remotepeer",
"prefix": "10.0.1.14/32"
}
}
}
}
},
"vpn": {
"ipsec": {
"auto-firewall-nat-exclude": "enable",
"esp-group": {
"VWAN01": {
"compression": "disable",
"lifetime": "27000",
"mode": "tunnel",
"pfs": "disable",
"proposal": {
"1": {
"encryption": "aes256",
"hash": "sha1"
}
}
}
},
"ike-group": {
"VWAN01": {
"ikev2-reauth": "no",
"key-exchange": "ikev2",
"lifetime": "28800",
"proposal": {
"1": {
"dh-group": "2",
"encryption": "aes256",
"hash": "sha1"
}
}
}
},
"site-to-site": {
"peer": {
"21.52.125.78": {
"authentication": {
"mode": "pre-shared-secret",
"pre-shared-secret": "mykeyhereplease"
},
"connection-type": "respond",
"description": "ipsec",
"ike-group": "VWAN01",
"ikev2-reauth": "inherit",
"local-address": "113.76.252.224",
"vti": {
"bind": "vti0",
"esp-group": "VWAN01"
}
}
}
}
}
}
}

Provision Button

Once the configuration is pushed. Restart the USG.

Once it’s successfully restarted, ssh into the USG. Then check the BGP status using the following commands. It should show the results as below.

1
show ip bgp summary

Command1

1
show ip bgp neighbor

Command2

1
show ip bgp neighbors 10.0.1.14 advertised-routes

This command shows the routes advertised to the remote peer
Command3

1
show ip bgp neighbors 10.0.1.14 received-routes

This command shows the routes recieved from the remote peer
Command4

1
show ip bgp

Command5

1
show ip route

Command6