Dynamic VPN Routing Between Azure Virtual WAN and AWS Transit Gateway using BGP


In the previous post, I wrote about Static Site-to-Site VPN Between Azure Vnet and AWS VPC. In this post, I will write about dynamic VPN routing between Azure and AWS using BGP protocol.

Assuming all necessary resources such as, Vnet, VM, vWAN, VPC, Transit Gateway etc are already built, this post will only focus on the key configurations.

Steps for whole process

  1. Build Azure vWAN
  2. Provide vHub with VPN Gateway
  3. Configure Azure VPN Gateway’s custom BGP IP
  4. Create AWS Transit Gateway
  5. Create AWS Transit Gateway Attachment
  6. Create AWS Customer Gateway
  7. Apply route to VPC
  8. Create AWS VPN Connection
  9. Create new Azure VPN Site and connect
  10. Verify result

For Step 1 & 2, please refer Azure Virtual WAN with Secured Virtual Hub.

Configure Azure VPN Gateway’s custom BGP IP

Since we are configuring both sides to communicate through BGP, therefore we must set BGP IP for both side.

On vHub page, click VPN then View/Configure.

Inside View/Configure, input your BGP IP Address. Copy the following as we will need it on later step.

  1. Azure AS Number
  2. VPN Public IP Address
  3. Custom BGP IP Address. In this demo, I use Instance 1.

For APIPA, please visit here for more detail.

Create AWS Transit Gateway

The most important parts of Transit Gateway are

  1. Amazon side ASN, default is 64512, you can leave it as it is or change to a number between 64512 to 65534.
  2. Transit Gateway CIDR blocks, you can leave it blank or give a CIDR block that is not in and ranges overlap with addresses peered to Transit Gateway. For more information, please refer here.

Remember 64512 as we will use it at the last step. A finish view of the Transit Gateway.

Create AWS Transit Gateway Attachment

With Transit Gateway created, we now attach the VPCs we want it to peer with the Gateway. First choose the Transit Gateway.

Name your attachment and choose the which subnets are to be peered.

A finish view of Transit Gateway Attachment.

Create AWS Customer Gateway

We copied two information on Step 3, now is the time to use them. Do not forget to choose Dynamic for your routing option.

IMPORTANT:Make sure BGP ASN is the same as Azure AS Number!

Apply route to VPC

In order for VMs to communicate with each other, we need to set a routing rule directing traffics from EC2 to, Azure network, to go to Transit Gateway. Edit the route table that is associated with your VM VPC.

  • №1, Add all the destination network segment
  • №2, Choose the AWS Transit Gateway created

Create AWS VPN Connection

Create VPN Connection is the same concept from my previous post. The only difference is choose Transit Gateway rather than Virtual Private Gateway. Also, do not forget to choose Dynamic for Routing Options.

Next part is very important!

  • For №1 and №2, since Dynamic routing will learn the routes itself, so we do not need to specify any CIDR here.
  • №3, the CIDR we configure on previous Step 3. In Step 3, we set the Custom BGP IP as And since AWS only takes a /30 CIDR, so it has to be and AWS will use the first IP, which is 22.1.
  • №4, Your secret word for VPN authentication.

Once done, grep the Public IP address of your AWS VPN Connection, as we will need it for next step.

Create new Azure VPN Site

We are almost there. Now back to Azure, let’s create the VPN connection, start by clicking Create new VPN site.

In the Basic tag, we can leave Private address space blank as we are using BGP.

In the Links tag, it is the most important part.

  • Link IP address is generate from last step.
  • is the first IP of
  • 64512 is the AS number configured for AWS on Step 4

Once done, create the new VPN connection. Next, we connect to the VPN site.

Before we connect, there are some other information to be filled. Input the same magic word you input at Step 8.

At this moment, VPN connection starts to establish between Azure and AWS. After a few minutes, you will see on Azure side, VPN connection is succeeded and connected.

And on AWS side, you will see the status is up and 2 BGP ROUTES are learned.

Let’s check the routes on Azure side. We could see that traffics going to, which is AWS network segment, are sent to VPN Gateway.

Let’s check on AWS side. We could also see that traffics going to are send to VPN Gateway as well.

Verify result

Lastly, has been a long way, we are finally here. Let’s verify the result from pinging VM on each other from both side.

  • My EC2’s private IP is
  • My Azure VM private IP is

EC2 ping Azure VM

Azure VM pinging EC2

And test result is succeed! That’s it for today’s post. Hope you all like it. Have a good day.


Azure to AWS VPN with Dynamic Routing

Establishing an AWS VPN Tunnel to Azure Virtual WAN; Active/Active BPG Configuration



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


AWS Certified SA, SysOps & Developer Associate, Alibaba Cloud certified SA. Focusing on Azure, Prometheus w/ Grafana, ELK and K8S now.