Cross
Chevron left
blog

Managing BGP Route Limits with Cloud Providers: How to Avoid Connectivity Issues

When connecting to multiple cloud providers, staying within BGP route limits is crucial to maintaining stable connectivity. Exceeding these limits can lead to disruptions, but with the right monitoring and automation, you can avoid these pitfalls.
Pierre COGNIN
by 
Pierre COGNIN
August 21, 2024
Cloud
Managing BGP Route Limits with Cloud Providers: How to Avoid Connectivity Issues

As businesses increasingly adopt multi-cloud strategies, managing network connectivity between on-premises infrastructure and various cloud providers has become more complex. One critical aspect of this connectivity is the Border Gateway Protocol (BGP), which is used to exchange routing information between networks. However, each cloud provider imposes specific limits on the number of BGP routes that can be advertised or learned in a session. Exceeding these limits can result in service disruptions, making it essential to monitor and manage your BGP configurations effectively.

In this article, we’ll explore the BGP route limits for major cloud providers, how to monitor these limits on a Fortigate firewall, how to automate this monitoring using a Shell script that can be integrated with your preferred monitoring solution, and best practices for ensuring reliable connectivity.

Understanding BGP Route Limits

Cloud providers typically set limits on the number of BGP routes that can be exchanged in a session to protect their infrastructure from being overwhelmed by excessive routing information. Exceeding these limits can lead to route flapping, session resets, or even the termination of the BGP session, which could disrupt network connectivity between your data center and the cloud provider.

Here are the current BGP route limits for three major cloud providers:

AWS (Amazon Web Services): 100 BGP routes per session

Microsoft Azure: 200 BGP routes per session

Google Cloud Platform (GCP): 100 BGP routes per session

These limits may seem generous, but in complex environments with multiple VPCs, on-premises networks, and peering arrangements, it’s easy to exceed them if not carefully managed.

Checking BGP Routes on a FortiGate Firewall

FortiGate firewalls provide powerful tools for monitoring and managing BGP sessions. You can quickly check the number of BGP routes advertised and received using the command line interface (CLI).

1. Checking Advertised/Received Routes

To view the number of routes advertised and learned from your BGP neighbors, use the following command:

get router info bgp neighbors [neighbor IP]

2. Checking Details of Advertised/Received Routes

To view in details the routes your FortiGate is advertising/receiving to a specific BGP neighbor, use this command:

get router info bgp neighbors [neighbor IP] advertised-routes

Automating BGP Route Monitoring with Shell Script

Manually checking BGP routes is time-consuming and prone to human error, especially in large environments with multiple cloud providers. Automating the monitoring process ensures that you are alerted before any BGP limits are breached. The following Shell script can be integrated with your preferred monitoring solution (e.g., Nagios, Zabbix, Prometheus) to automate this process and includes a warning when 90% of the route limit is reached.

Shell Script for BGP Route Monitoring

This Shell script retrieves the number of received and advertised BGP routes from a FortiGate firewall and checks them against predefined thresholds. The script is designed to be flexible, with variables for cloud providers, IP addresses, and thresholds.

#!/bin/bash

# Configuration of cloud provider limits and warning thresholds
LIMIT_AWS=100
LIMIT_AZURE=200
LIMIT_GCP=100
LIMIT_AWS_TGW=5000  # For AWS Transit Gateway

WARNING_THRESHOLD=90  # Warning at 90% of the limit

# FortiGate configuration
FORTIGATE_IP="192.168.1.1"
FORTIGATE_USER="admin"
SSH_PORT=22

# Neighbor IP addresses for each cloud provider
AWS_NEIGHBOR_IP="10.0.0.1"
AZURE_NEIGHBOR_IP="10.0.0.2"
GCP_NEIGHBOR_IP="10.0.0.3"

# Function to execute commands on FortiGate via SSH
execute_command() {
   ssh -p $SSH_PORT -o StrictHostKeyChecking=no $FORTIGATE_USER@$FORTIGATE_IP "$1"
}

# Function to check received routes
check_received_routes() {
   execute_command "get router info bgp neighbors $1" | grep -oP '\d+(?=\s+received)' | head -1
}

# Function to check advertised routes for a specific neighbor
check_advertised_routes() {
   local neighbor_ip=$1
   execute_command "get router info bgp neighbors $neighbor_ip advertised-routes" | grep -c "^"
}

# Function to check limits for a cloud provider
check_limits() {
   local cloud_provider=$1
   local neighbor_ip=$2
   local limit=$3

   received_routes=$(check_received_routes "$neighbor_ip")
   advertised_routes=$(check_advertised_routes "$neighbor_ip")

   if [[ $received_routes -ge $((limit * WARNING_THRESHOLD / 100)) || $advertised_routes -ge $((limit * WARNING_THRESHOLD / 100)) ]]; then
       echo "WARNING: BGP routes for $cloud_provider have reached 90% of the limit!"
   fi

   if [[ $received_routes -gt $limit || $advertised_routes -gt $limit ]]; then
       echo "CRITICAL: BGP routes exceed $cloud_provider limit!"
       exit 2
   fi
}

# Check limits for each cloud provider
check_limits "AWS" $AWS_NEIGHBOR_IP $LIMIT_AWS
check_limits "Azure" $AZURE_NEIGHBOR_IP $LIMIT_AZURE
check_limits "GCP" $GCP_NEIGHBOR_IP $LIMIT_GCP
check_limits "AWS Transit Gateway" $AWS_NEIGHBOR_IP $LIMIT_AWS_TGW

echo "OK: BGP routes within limits for all providers"
exit 0

Best Practices for Managing BGP Route Limits

Managing BGP route limits effectively requires a combination of careful planning, regular monitoring, and strategic configuration. Here are some best practices:

1. Aggregate Routes Where Possible: If your network design allows it, aggregate routes to reduce the number of individual prefixes that need to be advertised. This helps to stay within the route limits while still maintaining necessary connectivity.

2. Use Route Filtering: Implement route filtering on your FortiGate to prevent unnecessary routes from being advertised or learned. This can help to keep the routing tables lean and within the required limits.

3. Consider GRE Tunnels: If you need to scale beyond BGP route limits, consider using GRE tunnels (with AWS Transit Gateway for example). With a limit of 5,000 routes per attachment, AWS Transit Gateway offers a robust solution for handling larger routing tables. This setup can help distribute and manage the routes more efficiently across your network.

4. Plan for Growth: As your network evolves, plan your BGP configuration with future growth in mind. This might include implementing route summarization, optimizing routing policies, or even re-evaluating your multi-cloud strategy.

Conclusion

BGP is a critical component of modern network architecture, especially in multi-cloud environments. However, managing BGP routes requires careful attention to the limits imposed by cloud providers. By regularly monitoring your BGP sessions, automating this process with a script, and following best practices, you can maintain reliable and stable connectivity across your cloud and on-premises infrastructure.

Effective BGP management ensures that your network remains robust and responsive, even as it scales to meet the demands of your business. Don’t let unmanaged BGP routes jeopardize your operations—stay proactive, stay within the limits, and keep your network running smoothly.

Continue reading
September 4, 2024
Cloud
The silent revolution of cloud costs: innovative strategies and tools for 2024-2025
August 28, 2024
Operations
Volgap: Revolutionizing your IT incident diagnostics
August 14, 2024
Wifi
Managing Guest Access: When HTTPS Complicates Things
Product
VolgapSolutions & Expertise
Company
AboutBlogContact
Contact
Get In Touch