Traffic routing through two IPSec VPN tunnels over Express Route Private Peering

Question

Traffic routing through two IPSec VPN tunnels over Express Route Private Peering

Raviraj Velankar 141

Let us consider following setup or environment

One On-premise FW and Azure VPN GWs in active-active config. There are two IPSec VPN tunnel over Express Route Private peering.
Two IPSec tunnels are terminating on only one On-premise FW. Enabled BGP on these tunnels.
Azure ER GW and VPN GW are in Hub subscription and Azure FW in same Hub subscription.
Spoke subnets in Spoke Vnets or workload subnet in HUB Vnets has UDR attached to it with next hop as Azure FW for On-premise IP prefixes
Gateway Subnet in Hub Vnet has a UDR attached to it for workload subnets or Azure spoke IP prefixes with next hop as Azure FW
BGP multi-path feature is enabled at On-premise FW since there are two paths available to Azure IP prefixes. It will perform auto load balancing of the traffic at On-premise end when traffic is initiated from On-premise
At On-premise end, certain IP prefixes ( example, Prefix-A & its subnets) are advertised over tunnle-1 and certain IP prefixes ( example, Prefix-B & its subnets) are advertised over tunnle-2 towards Azure

Following is the query

When traffic is initiated from VM in one of the Hub or Spoke workload subnet destined towards On-premise IP Prefix-A. Traffic will be routed to Azure FW first, Azure FW will route it to VPN Gateway and then it will take tunnel-1 as a path (as per route advertisement from On-premise), however return traffic from On-premise will take same tunnel-1 as path or tunnel-2 ? (because we can not tweak route advertisement from Azure VPN GW towards On-premise) and whether it will cause asymmetical routing or not ?

0 comments

1 answer

Your answer

Answer 1

KapilAnanth 49,876 Moderator

Hi @Raviraj Velankar ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you would like to understand how the flow of packets in Active-Active VPN connections happen.

This is documented here in : https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable

From Azure perspective, for a single flow, Azure will send the packets to the same tunnel during the entire flow.

However, we cannot comment on the behavior of the OnPrem device/FW. Mostly, it should also send the packets via same tunnel.
However, I would recommend you get in touch with your VPN device vendor to get this clarified.

I hope this helps. Let me know should you have any follow up questions on this.

Cheers,
Kapil

----------------------------------------------------------------------------------------------------------------

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Raviraj Velankar 141 Reputation points

2022-09-20T05:35:45.55+00:00

Hi Kapilnath,

Thanks for reply. As per Azure documentation, Azure active-active gateway send the traffic from virtual network towards On-premise Network and both tunnels will be used simultaneously, i.e., Traffic will be load balanced per flow to use both the tunnels and If On-premise VPN device will prefer specific tunnel then as per my understanding asymmetric routing might occur. Because traffic will be routed to On-premise through tunnel-1 and it might use tunnel-2 for return path. So what do you recommend to configure BGP settings at On-premise end ? Whether BGP multi-path feature to use both the tunnels simultaneously same like Azure.

My simple requirement is, there should not be any asymmetrical routing for both side hence what do you suggest about any BGP settings or BGP attributes needs to be configured at On-premise end because we dont have any control to do any BGP settings at Azure end.
Raviraj Velankar 141 Reputation points

2022-09-20T05:59:19.24+00:00

Hi Kapilananth,

This is in continuation to above thread.

In Azure documentation for scenario such as "IPSec VPN tunnel over Express Route private peering " it says that advertise more specific On-premise subnets over BGP peering through private IPSec tunnel and summarized route or large IP prefix over BGP neighbor ship over Express Route. If that is the case then in case of active-active IPSec vpn tunnels , we can do more tweaking such as half of IP prefix for BGP peering through IPSec VPN tunnel-1 and half of IP prefix for BGP peering through IPSec VPN tunnel-2

In such case Azure VPN GW will prefer tunnel-1 for certain On-premise IP prefixes and tunnel-2 for remaining On-premise IP prefixes and that way we can influence exit path from Azure.

Please suggest what needs to be done at On-premise end so that there should not be any asymmetrical routing
KapilAnanth 49,876 Reputation points Moderator

2022-09-20T09:33:47.37+00:00
Hi @Raviraj Velankar ,

Thanks for explaining your set up.

Wrt your suggested action plan,

Splitting your IP range across VPN Tunnels is not recommended.

As, in case of one tunnel going down, you have to manually add the ranges to the other Tunnel

And this will not provide High availability

The features may be different based on the VPN device you are using.
If your device supports "BGP multi-path feature", you can definitely go for it.

Generally, majority of the devices has a mechanism to route traffic to the specific tunnel where the flow originated.
I would recommend you get this clarified from your VPN device vendor

Cheers,
Kapil

-------------------------------------------------------------------------------------------------------------------

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Share via

Traffic routing through two IPSec VPN tunnels over Express Route Private Peering

1 answer

Your answer