Looking to Disable BGP on an VPN Gateway

Question

Looking to Disable BGP on an VPN Gateway

Shiv Shankar 0

Looking to Disable BGP on an VPN Gateway. its not enabled but it looks open to the internet, so i want to disable it

Jose Benjamin Solis Nolasco 8,561 Reputation points Volunteer Moderator

2026-06-18T19:43:50.9733333+00:00

What tool did you use to check if it open to internet?
Vallepu Venkateswarlu 10,000 Reputation points Microsoft External Staff Moderator

2026-06-19T09:46:01.1366667+00:00
Hi **Shiv Shankar,

**Welcome to Microsoft Q&A Platform.

I get what you’re concerned about. On Azure VPN Gateways, BGP isn’t something that “automatically” opens up to the internet just because you can see a reachable port. In the normal design, BGP for a VPN gateway is only established with the configured on-premises peer(s) over the IPsec tunnel when you have BGP properly enabled/configured for the connection (and matching BGP settings on both sides).

How to “disable BGP” on the VPN gateway To ensure BGP is not used, you should make sure BGP is not enabled for the relevant VPN connection(s). Per the BGP how-to, BGP is controlled at the connection level:

Go to your Virtual Network Gateway

Open Connections

Select the specific connection

In the connection Configuration, make sure BGP = Disabled (i.e., uncheck/turn off Enable BGP)

Save/apply the configuration changes

If there’s also a VPN Site (local network gateway / vpn site resource) that has BGP settings defined, that alone doesn’t mean BGP will be active for a connection—what matters is that Enable BGP is not turned on for that connection and that the peer configuration is not being used for BGP sessions.

Related troubleshooting note: if BGP is enabled on the connection while the VPN site doesn’t have valid BGP settings, Azure can reject/raise configuration issues (for example the Invalid Parameter case where Azure says BGP can’t be enabled because the vpnsite doesn’t have valid BGP settings).

You tested the public IP for the VPN gateway and observed some port reachability, but not necessarily BGP peering/session establishment You might be seeing something reachable but not a functional BGP session (no tunnel + no configured BGP peer over IPsec)

Reference :

Configure BGP, routing, forced tunneling, or NAT (includes diagnostics + BGP how-to entry points): https://learn.microsoft.com/azure/vpn-gateway/bgp-howto

Configure BGP for cross-premises S2S connections (includes local network gateway BGP settings and peer matching): https://learn.microsoft.com/azure/vpn-gateway/bgp-howto

Configure BGP for VPN gateway (PowerShell): https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-bgp-resource-manager-ps

Configure BGP for VPN gateway (CLI): https://learn.microsoft.com/azure/vpn-gateway/bgp-how-to-cli

BGP diagnostics / BGP peers dashboard: https://learn.microsoft.com/azure/vpn-gateway/bgp-diagnostics

Troubleshoot InvalidParameter when configuring VPN Gateway connections (BGP enabled but vpnsite missing/invalid BGP settings): https://supportabilityhub.microsoft.com/solutions/apollosolutions/14c8df49-9933-ed72-5f61-745482f233eb/490ce271-b853-4a1e-8a4f-bf541f131c26

Reset a VPN Gateway: https://supportabilityhub.microsoft.com/solutions/apollosolutions/14c8df49-9933-ed72-5f61-745482f233eb/apollo-19c9afd2-603e-4b46-9d59-16a68e5d8bba

Please "upvote" if the information helped you. This will help us and others in the community as well.

1 answer

Your answer

Jose Benjamin Solis Nolasco 8,561 Reputation points Volunteer Moderator

2026-06-18T19:43:50.9733333+00:00

What tool did you use to check if it open to internet?

Answer 1

On an Azure VPN Gateway, BGP is only active if it has been explicitly enabled on the gateway connection and ASN settings are configured. If BGP is not enabled in the gateway configuration, Azure does not establish BGP peering sessions, even though you may still see TCP port 179 appear reachable during scans or from public-facing diagnostics. The gateway service itself is Microsoft-managed infrastructure, so certain ports may appear exposed externally as part of the platform architecture, but that does not mean BGP routing is operational.

To verify the current configuration, go to the Virtual Network Gateway in the Azure portal, select Configuration, and confirm that Configure BGP is set to Disabled. You can also review each Site-to-Site or VNet-to-VNet connection under Connections and ensure that Enable BGP is not checked there either. BGP must be enabled both on the gateway and on the individual connection before dynamic routing sessions can form.

If you previously enabled BGP and want to fully disable it, turn off Configure BGP on the gateway, save the changes, and then remove or disable BGP on any associated connections. Azure may briefly reprovision the VPN gateway during the update. Once disabled, the gateway uses only static route exchange for VPN connectivity.

Note that Azure VPN Gateway public IPs cannot be directly firewalled or restricted like a VM NIC because the gateway is a managed PaaS service. You cannot manually close TCP 179 at the Azure edge. If external scans show the port as “open” or “responsive,” that reflects Azure platform behavior rather than an active BGP session. The actual security boundary is whether BGP is configured and whether authenticated VPN peers are allowed to establish routing exchanges.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Share via

Looking to Disable BGP on an VPN Gateway

1 answer

Your answer