How to Set Up BGP Routing with RRAS on Windows Server 2012 R2

Border Gateway Protocol (BGP) is the routing protocol that underlies internet routing. Windows Server 2012 R2 introduced native BGP support in the Routing and Remote Access Service (RRAS), making it possible to configure a Windows server as a BGP router or BGP reflector without third-party routing software. This is particularly useful for Microsoft Azure connectivity (which uses BGP for VPN gateway integration), for multi-homed branch office scenarios, and for software-defined networking configurations. The Windows RRAS BGP implementation supports eBGP (external BGP) for peering with ISPs or cloud providers and iBGP (internal BGP) for advertising routes within an organization’s autonomous system.

Prerequisites

You need Windows Server 2012 R2 with RRAS installed and the Remote Access role services configured. The server must have connectivity to the BGP peer — either a physical router, a VPN gateway, or another RRAS server. An Autonomous System Number (ASN) must be assigned — for private use, choose from the private ASN range (64512–65534 for 2-byte ASNs). BGP peering requires TCP port 179 to be open between peers. IP routing must be enabled. A solid understanding of BGP concepts including AS paths, route filtering, and prefix advertisement is recommended for production deployments.

Step 1: Install RRAS with Routing

Install RRAS with the routing feature if not already installed:

Install-WindowsFeature RemoteAccess, Routing -IncludeManagementTools

Install-RemoteAccess -VpnType RoutingOnly

Enable IP routing in the registry:

Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesTcpipParameters" -Name "IPEnableRouter" -Value 1

Start-Service RemoteAccess
Set-Service RemoteAccess -StartupType Automatic

Step 2: Enable BGP on the RRAS Router

Before configuring BGP peers, enable BGP on the router. BGP on Windows Server 2012 R2 RRAS is managed through the BGP cmdlets in the RemoteAccess PowerShell module:

# Enable BGP with your local ASN
Add-BgpRouter -BgpIdentifier "192.168.1.50" `
    -LocalASN 65001 `
    -ClusterId 0 `
    -RouteReflector:$false

Verify BGP router configuration:

Get-BgpRouter | Select-Object BgpIdentifier, LocalASN, RouterState, IsRouteReflector

Step 3: Add BGP Peers

Configure BGP peering relationships. For an eBGP peer (external BGP, different ASN — typically an ISP or cloud gateway):

Add-BgpPeer -Name "ISP-Peer" `
    -LocalIPAddress "192.168.1.50" `
    -PeerIPAddress "192.168.1.254" `
    -PeerASN 65000 `
    -OperationMode Mixed `
    -PeeringMode Automatic

For an iBGP peer (internal BGP, same ASN — another RRAS server in your network):

Add-BgpPeer -Name "Branch-Router" `
    -LocalIPAddress "192.168.1.50" `
    -PeerIPAddress "10.10.0.1" `
    -PeerASN 65001 `
    -OperationMode Mixed `
    -PeeringMode Automatic

For BGP over an IPsec VPN connection (common for Azure VPN Gateway peering):

Add-BgpPeer -Name "Azure-VPN-GW" `
    -LocalIPAddress "169.254.21.1" `
    -PeerIPAddress "169.254.21.2" `
    -PeerASN 65515 `
    -OperationMode Mixed `
    -PeeringMode Automatic

Step 4: Advertise Local Routes via BGP

Configure which local IP networks should be advertised to BGP peers. Add network prefixes to the BGP routing information base:

# Advertise the local corporate subnet
Add-BgpCustomRoute -Network "192.168.0.0/16"

# Advertise multiple subnets
Add-BgpCustomRoute -Network "10.10.0.0/24"
Add-BgpCustomRoute -Network "10.20.0.0/24"
Add-BgpCustomRoute -Network "10.30.0.0/24"

Verify the routes are in the BGP table:

Get-BgpRouteInformation | Select-Object Network, NextHop, Origin, LocalPref, AsPath | Format-Table

Step 5: Configure BGP Route Policies

BGP route policies control which routes are accepted from peers and which are advertised to peers. This prevents accepting undesirable routes and limits what you advertise to external peers:

# Create a route policy to filter inbound routes from the ISP peer
# Only accept routes from the RFC 1918 range (example of filtering)
Add-BgpRoutingPolicy -Name "AcceptCorpRoutes" `
    -PolicyType Ingress `
    -MatchCriteria @{NetworkList="10.0.0.0/8"} `
    -AddCommunity "65001:100"

# Create an export policy to only advertise your own prefixes
Add-BgpRoutingPolicy -Name "AdvertiseOwnPrefixes" `
    -PolicyType Egress `
    -MatchCriteria @{OriginASN=65001}

Apply the route policy to a BGP peer:

Add-BgpRoutingPolicyForPeer -PeerName "ISP-Peer" `
    -PolicyName "AcceptCorpRoutes" `
    -Direction Ingress

Add-BgpRoutingPolicyForPeer -PeerName "ISP-Peer" `
    -PolicyName "AdvertiseOwnPrefixes" `
    -Direction Egress

Step 6: Configure BGP Route Redistribution

Redistribute routes from the local routing table into BGP (for example, redistribute connected routes or static routes):

Add-BgpCustomRoute -Interface "Ethernet" -Network "0.0.0.0/0"

Redistribute routes learned from BGP into the local routing table so the operating system can use them for packet forwarding:

Set-BgpRouter -BgpIdentifier "192.168.1.50" -LocalASN 65001

Step 7: Monitor BGP Peer Status and Routes

Check the state of BGP peers to ensure sessions are established (state should be “Connected”):

Get-BgpPeer | Select-Object PeerName, PeerIPAddress, PeerASN, ConnectRetryCount, BgpState | Format-Table

View routes received from each peer:

Get-BgpRouteInformation -PeerName "ISP-Peer" -Type Received | Format-Table Network, NextHop, AsPath, LocalPref

View routes being advertised to each peer:

Get-BgpRouteInformation -PeerName "ISP-Peer" -Type Advertised | Format-Table Network, NextHop, AsPath

View BGP statistics:

Get-BgpStatistics -PeerName "ISP-Peer" | Select-Object * | Format-List

Step 8: Configure BGP Firewall Rules

Ensure TCP port 179 is allowed for BGP peering sessions:

New-NetFirewallRule -DisplayName "BGP Inbound" `
    -Direction Inbound `
    -Protocol TCP `
    -LocalPort 179 `
    -Action Allow

New-NetFirewallRule -DisplayName "BGP Outbound" `
    -Direction Outbound `
    -Protocol TCP `
    -RemotePort 179 `
    -Action Allow

Summary

BGP routing with RRAS on Windows Server 2012 R2 enables organizations to implement software-based BGP routing without dedicated routing appliances. The native BGP support in Windows makes it particularly well-suited for Azure VPN Gateway integration, multi-homed branch office configurations, and SDN routing scenarios. With proper peer configuration, route advertisement, and route policy filtering, Windows RRAS can serve as a capable BGP router in both internal and edge routing scenarios.