Azure Expressroute BGP configuration

Azure Expressroute requires the use of two networks and BGP for the setup.

The two networks are /30 network so lets assume we use and This would mean that your internal interfaces will have IPs and while the Microsoft side will have and

Lets assume that you want to advertise the following networks for your office network and Lets assume that the networks that are in Azure are and

The BGP setup on the WatchGuard will then look like:
router bgp PrivateBPGNumber
bgp router-id
bgp router-id
neighbor remote-as 12076
neighbor remote-as 12076
neighbor password ThePassword
neighbor password ThePassword

Firewall rules are setup to allow all traffic to and from the local networks to the Azure networks.

The problem that then occurs is that the WatchGuard sees both networks and on both interfaces and then starts blocking traffic on one of the interfaces as spoofed.

What is missing from the setup?


  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @DanielBarten

    The firewall marks traffic as spoofed when it arrives via an interface that it isn't expecting. This usually happens if the route the traffic comes in / leaves via is asymmetric

    Take a look at the spoofing log that you're seeing traffic denied on. Is it arriving where you expect it to be?

    You can turn spoofing off globally in Default Threat Protection as a test -- does the traffic flow then?

    -James Carson
    WatchGuard Customer Support

  • Daniel, Did you ever figure this out? I am looking to do something similar. The ExpressRoute connection has to interface with an Azure Virtual Network Gateway first right? Then will that gateway send the BGP routes to the Watchguard NVA?
    I have a BOVPN setup on the Firebox NVA right now and I was hoping to get it working as a failover to the Expressroute connection.

Sign In to comment.