Now that we have our Azure Stack Development Kit in routing mode, we can also send the BGP information from within the Stack to the Juniper Firewalls (or any FW you have..). This will ensure that the new “external IP addresses” that are assigned to our workloads are accessible via our intranet route information and that we don’t have to manually add the routes and/or new subnets ourselves..
In short, what happens inside the Stack when you create a new workload is:
- A new IP address from the “private” range is assigned to the workload (external IP address)
- The public IP address is added to the BGP routing table by the SLB and sent to the BGPNAT router
- This means the BGPNAT router now knows how to get to the public IP address
All the addresses are added to the BGPNAT router as /32 entries.. so there is not a single /24 subnet or something:
In order to get these to our Juniper, we can do the following:
- Login to the AzS-BGPNAT VM
- Open Powershell
- Add-BgpPeer -Name Juniper -LocalIPAddress 172.16.5.26 -PeerIpAddress 172.16.5.1 -LocalASN 65050 -PeerASN 65050
(replace the ip addresses with the addresses in your environment – 172.16.5.26 is my external IP address for AzS-BGPNAT and 172.16.5.1 is my Juniper)
Next on the Juniper we need to configure the Protocols BGP. I created a new group for it in my BGP tables:
group stack {
type internal;
multihop {
ttl 50;
}
peer-as 65050;
neighbor 172.16.5.26;
}
And that is all you need. When you wait a few minutes you should see the routes coming into your Juniper:
Note: after you see the IP addresses, you will also need to put in a security policy rule, allowing intra-traffic (in my case I added 192.168.0.0/16 to the Internal zone). You can do this by issuing : set security policies from-zone Internal to-zone Internal policy Allow-Intra match ……. same as you would for any other policy