Merge pull request #312329 from asudbring/tsk556121-sfi-bastion

JillGrant615 · web-flow · commit 1ddda4288023 · 2026-03-03T20:47:19.000-07:00
SFI Bastion security update - Route Server BGP peering tutorial
diff --git a/articles/route-server/peer-route-server-with-virtual-appliance.md b/articles/route-server/peer-route-server-with-virtual-appliance.md
@@ -5,22 +5,22 @@ author: duongau
 ms.author: duau
 ms.service: azure-route-server
 ms.topic: tutorial
-ms.date: 09/17/2025
+ms.date: 03/03/2026
 ms.custom: sfi-image-nochange
 
 ---
 
 # Tutorial: Configure BGP peering between Azure Route Server and network virtual appliance (NVA)
 
-This tutorial shows you how to deploy Azure Route Server and configure BGP peering with a Windows Server network virtual appliance (NVA). You learn the complete process from deployment through route verification, providing hands-on experience with dynamic routing in Azure virtual networks.
+This tutorial shows you how to deploy Azure Route Server and configure BGP peering with a Linux-based network virtual appliance (NVA). You learn the complete process from deployment through route verification, providing hands-on experience with dynamic routing in Azure virtual networks.
 
 By the end of this tutorial, you have a working Azure Route Server environment that demonstrates automatic route exchange between Azure's software-defined network and a network virtual appliance.
 
 In this tutorial, you learn how to:
 
 > [!div class="checklist"]
 > * Deploy an Azure Route Server in a virtual network
-> * Create and configure a Windows Server virtual machine as an NVA
+> * Create and configure a Linux virtual machine as an NVA
 > * Configure BGP routing on the network virtual appliance
 > * Establish BGP peering between Route Server and the NVA
 > * Verify route learning and propagation
@@ -82,11 +82,11 @@ In this section, you create an Azure Route Server that establishes BGP peering w
 
 ## Create a network virtual appliance (NVA)
 
-In this section, you create a Windows Server virtual machine that functions as a network virtual appliance and establish BGP communication with the Route Server.
+In this section, you create a Linux virtual machine that functions as a network virtual appliance and establish BGP communication with the Route Server.
 
 ### Create a virtual machine
 
-Create a Windows Server VM in the virtual network you created earlier to act as a network virtual appliance.
+Create a Linux VM in the virtual network you created earlier to act as a network virtual appliance.
 
 1. In the search box at the top of the portal, enter **virtual machine**, and select **Virtual machines** from the search results.
 
@@ -104,12 +104,13 @@ Create a Windows Server VM in the virtual network you created earlier to act as
     | Region | Select **(US) East US**. |
     | Availability options | Select **No infrastructure required**. |
     | Security type | Select a security type. This tutorial uses **Standard**. |
-    | Image | Select a **Windows Server** image. This tutorial uses **Windows Server 2022 Datacenter: Azure Edition - x64 Gen2** image. |
+    | Image | Select **Ubuntu Server 24.04 LTS - x64 Gen2**. |
     | Size | Choose a size or leave the default setting. |
     | **Administrator account** |  |
+    | Authentication type | Select **SSH public key**. |
     | Username | Enter a username. |
-    | Password | Enter a password. |
-    | Confirm password | Reenter the password. |
+    | SSH public key source | Select **Generate new key pair**. |
+    | Key pair name | Enter **myNVA-key**. |
 
 1. Select the **Networking** tab or **Next: Disks >** then **Next: Networking >**.
 
@@ -119,53 +120,59 @@ Create a Windows Server VM in the virtual network you created earlier to act as
     | -------- | ----- |
     | Virtual network | Select **myVirtualNetwork**. |
     | Subnet | Select **mySubnet (10.0.0.0/24)**. |
-    | Public IP | Leave as default. |
-    | NIC network security group | Select **Basic**. |
-    | Public inbound ports | Select **Allow selected ports**. |
-    | Select inbound ports | Select **RDP (3389)**. |
-
-    > [!CAUTION]
-    > Leaving the RDP port open to the internet isn't recommended. Restrict access to the RDP port to a specific IP address or range of IP addresses. For production environments, it's recommended to block internet access to the RDP port and use [Azure Bastion](../bastion/bastion-overview.md?toc=/azure/route-server/toc.json) to securely connect to your virtual machine from the Azure portal.
+    | Public IP | Select **None**. |
+    | NIC network security group | Select **Advanced**. |
+    | Configure network security group | Select **Create new**.</br> In **Name** enter **nsg-nva**.</br> Select **OK**. |
 
 1. Select **Review + create** and then **Create** after validation passes.
 
+    > [!NOTE]
+    > The network security group rules block inbound SSH access from the internet. To run commands on the virtual machine, use the **Run command** feature in the Azure portal or deploy Azure Bastion. For more information about Azure Bastion, see [Quickstart: Deploy Azure Bastion with default settings](../bastion/quickstart-host-portal.md).
+
 ### Configure BGP on the virtual machine
 
-In this section, you configure BGP settings on the VM so it can function as an NVA and exchange routes with the Route Server.
+In this section, you install FRRouting (FRR) on the VM and configure BGP so it can function as an NVA and exchange routes with the Route Server.
 
 > [!IMPORTANT]
-> The Routing and Remote Access Service (RRAS) isn't supported in Azure for production use. However, in this tutorial, it's used to simulate an NVA and demonstrate how to establish BGP peering with Route Server. For production environments, use supported network virtual appliances from Azure Marketplace. For more information, see [Remote access overview](/windows-server/remote/remote-access/remote-access).
-1. Go to **myNVA** virtual machine and select **Connect**.
-
-1. On the **Connect** page, select **Download RDP file** under **Native RDP**.
-
-1. Open the downloaded file.
-
-1. Select **Connect** and then enter the username and password that you created in the previous steps. Accept the certificate if prompted.
-
-1. Run PowerShell as an administrator.
-
-1. In PowerShell, execute the following cmdlets:
-
-    ```powershell
-    # Install required Windows features.
-    Install-WindowsFeature RemoteAccess
-    Install-WindowsFeature RSAT-RemoteAccess-PowerShell
-    Install-WindowsFeature Routing
-    Install-RemoteAccess -VpnType RoutingOnly
-    
-    # Configure BGP & Router ID on the Windows Server
-    Add-BgpRouter -BgpIdentifier 10.0.0.4 -LocalASN 65001
-     
-    # Configure Azure Route Server as a BGP Peer.
-    Add-BgpPeer -LocalIPAddress 10.0.0.4 -PeerIPAddress 10.0.1.4 -PeerASN 65515 -Name RS_IP1
-    Add-BgpPeer -LocalIPAddress 10.0.0.4 -PeerIPAddress 10.0.1.5 -PeerASN 65515 -Name RS_IP2
-    
-    # Originate and announce BGP routes.
-    Add-BgpCustomRoute -network 172.16.1.0/24
-    Add-BgpCustomRoute -network 172.16.2.0/24
+> FRRouting is used in this tutorial to simulate an NVA and demonstrate how to establish BGP peering with Route Server. For production environments, use supported network virtual appliances from Azure Marketplace.
+
+1. In the search box at the top of the portal, enter **Virtual machine**. Select **Virtual machines** in the search results.
+
+1. Select **myNVA**.
+
+1. In **Operations**, select **Run command** then **RunShellScript**.
+
+1. Enter the following script in the **Run Command Script** window, then select **Run**:
+
+    ```bash
+    #!/bin/bash
+    # Install FRRouting
+    sudo apt-get update && sudo apt-get install -y frr
+
+    # Enable BGP daemon
+    sudo sed -i 's/bgpd=no/bgpd=yes/' /etc/frr/daemons
+
+    # Write BGP configuration
+    sudo tee /etc/frr/frr.conf > /dev/null << 'EOF'
+    frr version 8.1
+    frr defaults traditional
+    hostname myNVA
+    router bgp 65001
+     bgp router-id 10.0.0.4
+     neighbor 10.0.1.4 remote-as 65515
+     neighbor 10.0.1.5 remote-as 65515
+     address-family ipv4 unicast
+      network 172.16.1.0/24
+      network 172.16.2.0/24
+     exit-address-family
+    EOF
+
+    # Restart FRR to apply configuration
+    sudo systemctl restart frr
     ```
 
+1. Wait for the script to complete. The output confirms the FRR installation and BGP configuration.
+
 ## Configure Route Server peering
 
 Now that you have configured BGP on the virtual machine, you need to add the NVA as a BGP peer in the Route Server configuration.
