Share via

Azure Active-Active VPN Gateway with Dual VPN Tunnels & BGP

Daithi 0 Reputation points
2024-07-10T14:15:31.66+00:00
SonicWALL Azure
WAN IP X1: ISP 1 Azure Public IP 1
X2: ISP 2 Azure Public IP 2
Tunnel IP 10.90.20.1 10.28.254.4
10.90.21.1 10.28.254.5
Local Network 10.80.0.0/16 10.1.0.0/16
10.90.0.0/16 10.2.0.0/16
10.70.0.0/16
Peer Network 10.1.0.0/16 10.80.0.0/16
10.2.0.0/16 10.90.0.0/16
10.70.0.0/16
BGP AS Number 65521 65515

Looking to use a single VPN Gateway in Active-Active Mode with 2 Separate ISP's connecting into Azure. BGP is enabled on the Firewall on Premise and BGP is enabled on on all Local Network gateways and on the VPN Gateway(Active-Active gives me 2 Public IP Addresses in Azure and 2 BGP Local Addresses). However in the BGP Peer Menu in Azure i only see 2 of the tunnels connected and 2 show as connecting is this how it should be or should all Peers show as connected. Struggling to find documentation on this scenario. If the two connected peers drop the connecting peers become connected .

User's image

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,463 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. ChaitanyaNaykodi-MSFT 24,681 Reputation points Microsoft Employee
    2024-07-11T02:10:17.1633333+00:00

    @Daithi

    Thank you for reaching out.

    If I understand correctly you are trying to implement a Dual-redundancy: active-active VPN gateways for both Azure and on-premises networks, similar to the implementation shown here

    User's image

    This topology requires two local network gateways and two connections to support the pair of on-premises VPN devices.

    Below are the requirement and constraints for this set-up

    1. You need to create multiple S2S VPN connections from your VPN devices to Azure. When you connect multiple VPN devices from the same on-premises network to Azure, you need to create one local network gateway for each VPN device, and one connection from your Azure VPN gateway to each local network gateway.
    2. The local network gateways corresponding to your VPN devices must have unique public IP addresses in the "GatewayIpAddress" property.
    3. BGP is required for this configuration. Each local network gateway representing a VPN device must have a unique BGP peer IP address specified in the "BgpPeerIpAddress" property.
    4. You should use BGP to advertise the same prefixes of the same on-premises network prefixes to your Azure VPN gateway, and the traffic will be forwarded through these tunnels simultaneously.
    5. You must use Equal-cost multi-path routing (ECMP).
    6. It will also help if you could check the logs on the on-prem devices for any BGP connection error.

    You can also refer to this BGP FAQ section for additional troubleshooting details.

    Hope this helps! Please let me know if the issue still persists, we will gladly continue with the discussion. Thank you!