BGP Azure Lab Maker

Lately I have been working in creating lab environments to train on some aspects of Azure networking, such as Network Virtual Appliances, VPN or ExpressRoute. I started creating scripts to deploy each of those, but then I realized that those scripts had a lot in common. Would it be possible to generalize them into one single one that rules them all?

That is the idea behind the BGP Azure Lab Maker project (find the script in my Azure CLI repository here). Imagine you want to deploy the topology in the diagram below (you might recognize as a simulation of a redundant ExpressRoute topology, for the ones that cannot afford ExpressRoute circuits for learning purposes):

The idea is having a tool where you give it the topology you want to build, and it creates it for you. Welcome to the Azure BGP Lab Maker. This is a shell script that would take your topology as text input. For example, to build the previous topology, you would use this command line:

zsh bgp.sh \
 "1:vng:65515,2:vng:65515,3:csr:22076,4:csr:22076,5:csr:65001,6:csr:65002" \
 "1:3,1:4,2:3,2:4,3:5,4:6,5:6" \
 bgp1 northeurope "supersecretpsk"

The inputs are easily decomposed: the first string describes which appliances to deploy: either Virtual Network Gateways (“vng”), or Cisco Cloud Services Routers (“csr”), and the Autonomous System Number (ASN) to configure. In this case we have 6 devices, as the string “1:vng:65515,2:vng:65515,3:csr:22076,4:csr:22076,5:csr:65001,6:csr:65002” shows.

I am using those two because they are the ones I know best. If you have other examples of appliances that should be included (like Linux boxes with StrongSwan and Quagga), feel free to send Pull Requests my way!

By the way, you can see I am using the ASN 22076 instead of the standard 12076 for ExpressRoute. That is because the ASN 12076 is reserved in Azure for ExpressRoute, and you cannot use it for anything else (like this kind of scenarios).

The next argument are the connections, essentially which router is connected to which other router: “1:3,1:4,2:3,2:4,3:5,4:6,5:6”. Here we have router1 connected to router3 (“1:3”), router1 to router4 (“1:4”), etc.

And finally, the last three arguments are just the resource group (“bgp1”), the Azure region where to deploy this (“northeurope”) and the pre-shared key to use for the IPsec connections (“supersecretpsk”).

After some minutes (deploy a Virtual Network Gateway in Azure is still painfully slow) you get everything deployed, and you can have a look at the IP addresses. In my case:

az network public-ip list -g $rg -o table
Name      ResourceGroup    Location     Zones    Address         AddressVersion    AllocationMethod    IdleTimeoutInMinutes    ProvisioningState
--------  ---------------  -----------  -------  --------------  ----------------  ------------------  ----------------------  -------------------
csr3-pip  bgp1             northeurope           52.169.146.221  IPv4              Static              4                       Succeeded
csr4-pip  bgp1             northeurope           52.169.118.161  IPv4              Static              4                       Succeeded
csr5-pip  bgp1             northeurope           13.79.189.43    IPv4              Static              4                       Succeeded
csr6-pip  bgp1             northeurope           40.115.125.95   IPv4              Static              4                       Succeeded
pip1a     bgp1             northeurope           13.74.144.88    IPv4              Dynamic             4                       Succeeded
pip1b     bgp1             northeurope           52.169.64.165   IPv4              Dynamic             4                       Succeeded
pip2a     bgp1             northeurope           52.169.3.35     IPv4              Dynamic             4                       Succeeded
pip2b     bgp1             northeurope           52.169.3.47     IPv4              Dynamic             4                       Succeeded

So as you can see a bunch of IP addresses where deployed. If we go to one of the routers in the middle of the topology (such as csr3) we can have a look at its connectivity. For example, the different BGP adjacencies with other routers in the topology:

csr3-nva#sh ip bgp summ
[...]
Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.1.0.4        4        65515      47      52        7    0    0 00:36:13        2
10.1.0.5        4        65515      49      49        7    0    0 00:36:09        2
10.2.0.4        4        65515      47      47        7    0    0 00:33:18        2
10.2.0.5        4        65515      44      49        7    0    0 00:34:00        2
10.205.0.10     4        65001      44      47        7    0    0 00:32:59        2

And you can now go to the edge routers (csr5 and csr6) to see how they learn their routes:

csr5-nva#sh ip route bgp
[...] 
      10.0.0.0/8 is variably subnetted, 10 subnets, 3 masks
B        10.1.0.0/16 [20/0] via 10.203.0.10, 00:35:31
B        10.2.0.0/16 [20/0] via 10.203.0.10, 00:35:31
B        10.203.0.0/24 [20/0] via 10.203.0.10, 00:35:31
B        10.204.0.0/24 [20/0] via 10.206.0.10, 00:34:44
B        10.204.0.10/32 [20/0] via 10.203.0.10, 00:35:31
B        10.206.0.0/24 [20/0] via 10.206.0.10, 00:34:56

For example you can see there that CSR5 goes to 10.1.0.0/16 and 10.2.0.0/16 over the same router (CSR3), but what if you wanted to go via CSR6 instead? Now you built your lab, you can start playing with this.

Other interesting scenarios you could build with this:

  • Basic example with 1 VNG connected to one CSR: bash bgp.sh “1:vng:65501,2:csr:65502” “1:2” mylab northeurope mypresharedkey
  • 4 CSRs connected in full mesh to each other: bash bgp.sh “1:csr:65501,2:csr:65502,3:csr:65503,4:csr:65504” “1:2,1:3,2:4,3:4,1:4,2:3” mylab northeurope mypresharedkey

Can you think of other interesting topologies? Any feedback about the script? Happy to hear from you either here or with issues in the Github repo!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: