VPN S2S Active Active

Question

VPN S2S Active Active

Handian Sudianto 6,106

Hello,

I have topology like below picture with details :

Have 4 sites
Every site have 1 firewall except for the site 1 have 2 firewall
FW1 and 2 using checkpoint product
FW3 - 5 using fortigate product
Every site have WAN connection to site 1

My goal is to make HA VPN Site to Site to Azure, so it's possible to make VPN Active Active to minimize downtime if there any site with internet connectivity issue?

User's image

1 answer

Your answer

Answer 1

KapilAnanth-MSFT 49,616 Microsoft Employee Moderator

@Handian Sudianto ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

The below 2 scenarios provide redundancy to one individual site.

Scenario1 : HA in case one of the VPN Gateway instance fails

With VPN Active-Active, Azure establishes two tunnels to the OnPrem IP Address you specify in the LNG per connection.
See : Active-active VPN gateways.

Scenario2 : HA in case one of the OnPrem instance/ISP fails

Similarly, In case you have 2 OnPrem IPs (2 OnPrem devices such as Site1) ,
The requirement here is that you created 2 LNGs each with the IP of the OnPrem devices.

Now, if you want HA via the WAN network:

As long as all the OnPrem sites are connected to each other, you should be able to route traffic to Azure via any one of the S2S Connection.
However, BGP is a must for this and you advertise all the address prefixes via every VPN Connection.
You should take care of routing to Azure from OnPrem site and between the OnPrem sites themselves.
From Azure to OnPrem routing, you must make use of AS Path Prepending to favour one VPN Connection over the other.
See : Does Azure VPN Gateway honor AS Path prepending (your exact requirement).

This example explains how AS Path Prepend works in Azure : https://learn.microsoft.com/en-us/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#as-path-prepend

Though the example here uses ExR Gateway, the same logic applies to VPN Gateway as well.

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Handian Sudianto 6,106 Reputation points

2024-03-20T00:34:38.6266667+00:00
Hi @KapilAnanth-MSFT

Here my queries:

I think scenario 1 is not suitable for me because we have multiple onprem VPN gateway, am i right?

For scenario 2 (HA in case one of the OnPrem instance/ISP fails), can each onprem VPN gateway have separate LAN subnet, or two VPN gateway should be have same LAN subnet? Also, for this scenario the BGP is not needed, am i right?

For scenario 2 (HA via the WAN network), can we make users under core 3 connected to the azure via FW3, users under core 4 connected to the azure via FW 4? And if internet connection FW3 is down, the user under core 3 can connect to the azure via other WAN, example the traffic will be routed to core 2 then to FW2?
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2024-03-20T11:37:18.8366667+00:00
@Handian Sudianto ,

Scenarios 1 and 2 are to connect every individual OnPrem to Azure.

So, to address your queries,

1.I think scenario 1 is not suitable for me because we have multiple onprem VPN gateway, am i right?

Not exactly.

Core 2,3,4 have only firewalls each.

So to connect these sites to Azure VPN Gateway with Active-Active, you must follow this

2.For scenario 2 (HA in case one of the OnPrem instance/ISP fails), can each onprem VPN gateway have separate LAN subnet, or two VPN gateway should be have same LAN subnet? Also, for this scenario the BGP is not needed, am i right?

I cannot comment on the configuration of OnPrem set up.

Actually, you do not have 2 OnPrem

You only have one OnPrem with 2 Firewalls (FW1 and FW2) and each represent the same OnPrem - this means they will have the same Address Prefixes.

Core 1 can benefit from this.

3.For scenario (HA via the WAN network), can we make users under core 3 connected to the azure via FW3, users under core 4 connected to the azure via FW 4? And if internet connection FW3 is down, the user under core 3 can connect to the azure via other WAN, example the traffic will be routed to core 2 then to FW2?

Not quite right, perhaps your naming convention is the Diagram and in this question is mismatching with each other.

From your diagram, I see Core2 uses FW3 and Core3 uses FW4.

And I don't see Core3 connected to Core2.

What I see is,

FW1,FW2,FW3,FW4 and FW5 - all are connected to Azure.

Let's say, FW3(Core2) loses internet.

If you could configure your Core2 to forward traffic to Core1, then you can access Azure using either FW1 or FW2 (both belonging to Core1)

And BGP is a must for this to work

Hope this helps.

Cheers,

Kapil

Share via

VPN S2S Active Active

1 answer

Your answer