Technical Lab: Implement Bidirectional Forwarding Detection
Questionsβ
Question 1 β Multiple Choiceβ
In an Azure network with ExpressRoute, the operator needs to detect link failures with latency below the minimum time supported by the standard BGP protocol. After enabling BFD, what is the expected behavior regarding the existing BGP session?
A. BGP starts ignoring its own timers and entirely delegates keepalive control to BFD.
B. BFD operates independently from BGP, but a failure detected by BFD triggers the teardown of the associated BGP session.
C. BFD replaces BGP as the routing protocol in the ExpressRoute session, also taking over prefix exchange.
D. BGP and BFD share the same control channel, and BGP timers are automatically reduced to match BFD intervals.
Question 2 β Technical Scenarioβ
An engineer configures BFD between the Azure VPN Gateway and an on-premises device. After configuration, the IPsec tunnel establishes correctly, but the BFD session never comes up. The engineer verifies the following:
# On-premises device
bfd neighbor 10.0.0.1 local-address 10.1.0.1
interval 300 min_rx 300 multiplier 3
authentication sha1 keychain BFD_KEY
The Azure VPN Gateway does not support BFD authentication. What is the most likely cause of the failure?
A. The 300 ms interval is below the minimum supported by Azure VPN Gateway.
B. The local address configured on the on-premises device does not belong to the tunnel subnet.
C. The authentication configured on the on-premises device prevents BFD session establishment, as the Azure peer cannot respond to the challenge.
D. The multiplier 3 is incompatible with the Azure VPN Gateway BFD implementation.
Question 3 β True or Falseβ
BFD in Azure ExpressRoute operates exclusively in asynchronous mode, and echo mode is not supported in this context.
Question 4 β Technical Scenarioβ
A company uses ExpressRoute with two redundant circuits terminating in distinct MSEEs. BFD is enabled on both. During an incident, the primary circuit loses physical layer connectivity, but the BGP session over that circuit has not yet fallen because the BGP holdtime has not yet expired. What is the expected BFD behavior at this moment?
A. BFD waits for the BGP holdtime to expire before acting, as it depends on BGP to validate the link state.
B. BFD detects the absence of control packets within the negotiated interval and notifies BGP to tear down the session immediately, without waiting for the holdtime.
C. BFD sends a notification to the secondary circuit to take over, without interfering with the primary circuit's BGP session.
D. BFD suspends failure detection while BGP is still in Established state, to avoid conflict between the two protocols.
Question 5 β Multiple Choiceβ
When comparing BFD support between Azure VPN Gateway and ExpressRoute (circuits with private peering), which statement correctly describes a behavioral or support difference between the two?
A. BFD is enabled by default on ExpressRoute and needs to be explicitly activated on VPN Gateway by the operator on the Azure side.
B. VPN Gateway supports BFD only on VpnGw2 family SKUs or higher, while ExpressRoute supports BFD on all SKUs.
C. BFD on ExpressRoute is enabled on the Microsoft Enterprise Edge (MSEE) side and requires the on-premises CPE device to also support it for the session to come up.
D. VPN Gateway supports BFD only over IKEv1 tunnels, as IKEv2 already has an equivalent integrated failure detection mechanism.
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: B
BFD is an auxiliary failure detection protocol, not a BGP replacement. It operates in a separate session, exchanging control packets at much smaller intervals than standard BGP timers (which can reach 90 seconds holdtime). When BFD does not receive a response within the negotiated interval, it signals to the client protocol (in this case, BGP) that the path is unavailable, and BGP then tears down the session without waiting for its own holdtime to expire.
The central error in the incorrect alternatives is confusing cooperation with fusion: BFD and BGP maintain their separate sessions and responsibilities. BFD does not inherit or replace BGP functions, and BGP does not delegate its timers to BFD.
Answer Key β Question 2β
Answer: C
Azure VPN Gateway does not implement BFD authentication. When the on-premises device requires authentication (in this case, SHA1 with keychain), it expects the peer to respond with corresponding credentials. Since the Azure side does not support this mechanism, it cannot complete the BFD handshake, and the session never comes up, even though the underlying IPsec tunnel is operational.
The other distractors represent real errors in other contexts: incompatible intervals and incorrect addresses are legitimate causes of BFD failure, but here the scenario makes it clear that authentication is the discrepant element between the two sides. The multiplier 3 is widely compatible and would not be the isolated cause of establishment failure.
Answer Key β Question 3β
Answer: True
In Azure ExpressRoute, BFD operates exclusively in asynchronous mode, where each peer sends control packets periodically and awaits response. Echo mode, which sends packets to be returned by the peer without processing at the remote BFD layer, is not supported in this context.
This distinction is relevant because echo mode can offer faster detection with lower CPU load on the remote peer. Knowing it's not available in ExpressRoute is important when dimensioning detection intervals and comparing expected behavior with on-premises implementations that support both modes.
Answer Key β Question 4β
Answer: B
This is exactly the central motivation of BFD: to act before the routing protocol perceives the failure through its own mechanisms. When the physical layer goes down, BFD stops receiving control packets from the peer. After the number of lost packets reaches the configured multiplier, BFD declares the neighbor unreachable and notifies BGP to terminate the session immediately.
The conceptual error in the incorrect alternatives is imagining that BFD is subordinate to BGP or that the two protocols compete. In reality, BFD is a convergence accelerator that works in service of BGP, not in autonomous parallel or passive subordination.
Answer Key β Question 5β
Answer: C
In ExpressRoute with private peering, BFD is enabled on the MSEE (Microsoft's edge router) side and waits for the customer's CPE device to also initiate the BFD session. If the CPE does not support or does not have BFD configured, the session simply does not come up, and failure detection continues to depend only on BGP timers.
The other alternatives contain verifiable inaccuracies: BFD in ExpressRoute is not enabled by default on the customer side; there is no SKU restriction for BFD on VPN Gateway as described; and BFD on VPN Gateway is not conditioned on the IKE version, as IKEv2 and BFD are complementary, not mutually exclusive.