How to Set Up BGP Routing on Windows Server 2016
Border Gateway Protocol (BGP) is the routing protocol that powers the internet. It is a path-vector protocol used to exchange routing information between autonomous systems (AS). Windows Server 2016 includes a software-based BGP implementation as part of the Remote Access role, which can be used in smaller branch office scenarios, software-defined networking environments, or as a route reflector. While Windows Server BGP is not a replacement for dedicated router hardware in large deployments, it is useful for Azure VPN integration, cloud gateway scenarios, and lab environments where you need BGP without specialized appliances.
The BGP implementation in Windows Server 2016 supports iBGP (internal BGP between peers in the same AS) and eBGP (external BGP between different autonomous systems). It can advertise and receive IPv4 routes, supports route policies, and integrates with Windows Routing and Remote Access Service (RRAS). This guide covers installing the Remote Access role, configuring BGP, adding peers, and verifying route exchange.
Installing the Remote Access Role with BGP
Install the Remote Access role with the Routing role service, which includes the BGP router functionality:
Install-WindowsFeature RemoteAccess -IncludeManagementToolsInstall-WindowsFeature RSAT-RemoteAccess-PowerShellInstall the Routing role service specifically:
Install-WindowsFeature Routing -IncludeManagementToolsInstall the Remote Access Management tools:
Install-RemoteAccess -VpnType RoutingOnlyConfiguring the BGP Router
Import the BGP PowerShell module:
Import-Module RemoteAccessAdd a BGP router instance. Specify your local Autonomous System Number (ASN). In this example, we use ASN 65001 which is in the private ASN range (64512-65534):
Add-BgpRouter -BgpIdentifier 192.168.1.10 -LocalASN 65001Verify the BGP router was created:
Get-BgpRouterAdding BGP Peers
Add an eBGP peer (a neighbor in a different autonomous system). This could be your upstream ISP router or a remote gateway:
Add-BgpPeer -Name "UpstreamRouter" -LocalIPAddress 192.168.1.10 -PeerIPAddress 192.168.1.1 -PeerASN 65000 -OperationMode MixedAdd an iBGP peer (a neighbor in the same autonomous system):
Add-BgpPeer -Name "InternalRouter" -LocalIPAddress 10.0.0.1 -PeerIPAddress 10.0.0.2 -PeerASN 65001 -OperationMode MixedView all configured BGP peers and their state:
Get-BgpPeerCheck the status of a specific peer:
Get-BgpPeer -Name "UpstreamRouter"Advertising Routes via BGP
Add a custom route to the BGP routing table to advertise to peers:
Add-BgpCustomRoute -Network "10.100.0.0/16"Advertise a specific static route that exists in the Windows routing table:
Add-BgpCustomRoute -Interface "Ethernet"View all routes currently being advertised by BGP:
Get-BgpRouteInformation -Type LocalView routes learned from peers:
Get-BgpRouteInformation -Type ReceivedConfiguring BGP Route Policies
BGP route policies control which routes are accepted from or advertised to specific peers. Create a route policy that filters routes by network prefix:
Add-BgpRoutingPolicy -Name "FilterInbound" -PolicyType ModifyAttribute -MatchPrefix "10.0.0.0/8" -NewLocalPref 200Apply the inbound policy to a peer:
Add-BgpRoutingPolicyForPeer -PeerName "UpstreamRouter" -PolicyName "FilterInbound" -Direction IngressView configured route policies:
Get-BgpRoutingPolicyMonitoring and Troubleshooting BGP
Clear a BGP peer session to force re-establishment of the connection:
Clear-BgpSession -PeerName "UpstreamRouter" -ForceView the BGP routing table showing all learned routes:
Get-BgpRouteInformationRemove a BGP peer when it is no longer needed:
Remove-BgpPeer -Name "UpstreamRouter" -ForceEnable BGP tracing for detailed diagnostic output. Check event logs in Event Viewer under Applications and Services Logs for Remote Access BGP events. BGP uses TCP port 179 for peer sessions, so ensure this port is open in Windows Firewall and any network firewalls between peers. The session must be established from the same IP address configured as the local address in Add-BgpPeer, or the peer will reject the connection. Always coordinate ASN assignments with your network team to avoid conflicts with real internet ASNs if your network connects to the public internet.
