BGP over VPN between Azure/Check Point Gateway

Assumptions:

A valid Azure Subscription has been established A Resource Group has been created within said Subscription

Pre-requisites:

Azure VPN Gateway SKU must be Standard or High Performance for BGP to worko VpnGw = Basic (BGP Not Supported)o VpnGw = Standardo VpnGw = High Performance

BGP on the gateway can only be enabled through the resource manager if not done during the initial creation of the VPN gateway

Windows Powershell as you can do some Azure BGP configuration settings through Powershell

Note: The following ASNs are reserved by Azure for both internal and external peerings:

Public ASNs: 8075, 8076, 12076 Private ASNs: 65515, 65517, 65518, 65519, 65520

In Admin PowerShell window:

1. Install-Module AzureRM2. Set-ExecutionPolicy RemoteSigned

In non-Admin Powershell window:

1. Import-Module AzureRM

Networking Layout:

Address Space = 10.0.0.0/16GatewaySubnet = 10.1.0.0/29BackEnd Subnet = 10.2.0.0/24

RESOURCES WE WILL NEED TO CREATE

AzureVnet = Internal Azure virtual networkBackEnd = GatewaySubnet = Subnet where default gateway for virtual network (vnet)AzureVPNGW(1) = Azure VPN Gateway InstanceAzureVPNGW(2) = Public IP Address that will be used for Azure VPN GatewayCP-2-Azure-BGP = VPN Connection settings to include BGP settingsCP-Remote-GW = Representation of Physical Check Point Gateway

Create VNET

In Azure portal in the left pane go to “Virtual Networks”

Click on (+) sign to add vnet

ADD DEFAULT GATEWAY SUBNET

NOTE: This will be the default gateway for all subnets created under this address space

CREATE AZURE VPN GATEWAY

IMAGE 2 – Creating Public IP Address

When completed Click on Create:

NOTE: If you’ve not enabled bgp on the gateway, or had it set to basic, when gateway was first created you can follow instructions in Appendix A to enable BGP on the gateway.

Get the Azure VPN gateway public IP Address from the Azure Portal

In Azure Portal select “All Resources”

CREATE CHECK POINT GATEWAY IN AZURE

Create VPN Connection

In Azure portal go to “All Resources”

Once created you must go back into the configuration of the newly created connection and enable bgp:

CHECK POINT CONFGURATION

SmartConsole Configuration

Create an empty VPN group which will represent the Azure VPN Gateway’s vpn domain:

Next create Azure VPN Gateway object:

Create VPN Community

GAIA WebUI Configuration on Check Point

Create VPN Tunnel Interface (VTI)

NOTE: THE PEER NAME MUST MATCH THE SMARTDASHBOARD OBJECT NAME OTHERWISE THE VTI WILL NOT WORK

Add Static Route for Azure VPN Peer BGP IP:

Setup BGP in GAIA WebUI

WARNING: Without “ALL” of these configurations completed BGP will not be successful

Add Azure Gateway BGP Information:

Fill in information based on Azure Gateway BGP Settings:

NOTE: Without Multihop enabled the BGP session will not be established

Set BGP Inbound route filters

Note: For the purpose of this documentation the inbound filter has been set to accept all routes – this will vary in each environment

Set inbound route filter settings

APPENDIX A

To enable BGP on the Azure Gateway after it’s been created go to resources.azure.com and login:

1. subscriptions <your_subscription> resource groups <your_resource_group> providers Microsoft Networks virtualNetworkGateway

2. Change Mode up top to “Read/Write”

3. Click on “Edit” up top

4. Set "enableBgp": true,

5. Click on “Put”

6. Change back to “Read Only”

7. Give it a few minutes for change to propogate.

8. Go into Azure Vpn Gateway and under “Configuration” verify BGP is now enabled (should see AS and Local BGP IP)

Once enabled you will need to get the BGP settings for the Azure VPN Gateway. This can be done from within Azure portal:

Or through Powershell:

# Set your subscription ID if you have more than 1$SubscriptionId = “Your_Subscription_ID”

$SubscriptionId = “83ad3470-60c3-4fc7-905e-6d9315588b65”

#Identify Resource Group you will be working with$ResourceGroup=”Your_Azure_Resource_Group_Name”

$ResourceGroup=”Chkp-RSC-GRP”

#Log into AzureLogin-AzureRmAccount

# Set Context to your subscription – only relevant if you have more than 1Set-AzureRmContext -SubscriptionID $SubscriptionId

# Set Gateway you will be working with$Gateway = Get-AzureRmVirtualNetworkGateway -ResourceGroupName $ResourceGroup -Name "Gateway_Name"

$Gateway = Get-AzureRmVirtualNetworkGateway -ResourceGroupName $ResourceGroup -Name "AzureVPNGW"

# Get Azure Gateway BGP Settings$Gateway.BgpSettingsText

# To modify the default BGP ASN of 65515 run following commandSet-AzureRmVirtualNetworkGateway -VirtualNetworkGateway $Gateway -Asn <number>You will need, at minimum, the following resources to be defined in Azure space: