Share via

S2S VPN - active-active gateways

koosha 1 Reputation point
2022-10-05T10:01:59.437+00:00

I have two on-prem devices in different sites (a &b), that I'm wanting to connect them to Azure VPN gateway via IPSec tunnel. If the Azure gateways are configured in active-active mode, but the multiple tunnel is not available, is it possible to have a single tunnel from each Azure instance to each of the on-prem devices (one connection between site a and first azure instance, and one between site b and the second instance), or both tunnels need to be connected to the same on-prem device?

Thanks

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,786 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. GitaraniSharma-MSFT 50,021 Reputation points Microsoft Employee Moderator
    2022-10-06T07:01:45.387+00:00

    Hello @koosha ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you have two on-prem devices in different sites and would like to connect them both to 1 Azure VPN gateway with active-active configuration.

    For this setup, it is always recommended to go with dual-redundancy: active-active VPN gateways for both Azure and on-premises networks.

    When you set up the Azure VPN gateway in an active-active configuration and want to connect 2 on-premises devices, you need to create two local network gateways and two connections for your two on-premises VPN devices. The result is a full mesh connectivity of 4 IPsec tunnels between your Azure virtual network and your on-premises network as shown below:

    247959-image.png

    It is not possible to have a single tunnel from each Azure instance to each of the on-prem devices (one connection between site a and first azure instance, and one between site b and the second instance), because all tunnels are active from the Azure side, so the traffic will be spread among all 4 tunnels simultaneously.

    You will need to configure your on-premises VPN devices to accept or establish two S2S VPN tunnels to the two Azure VPN gateway public IP addresses. Note that both VPN tunnels are actually part of the same connection, so you cannot exclude one tunnel from Azure side.

    Note:
    BGP is required for this configuration.
    The active-active mode is available for all SKUs except Basic.

    Please refer below articles for more information:
    https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable#dual-redundancy-active-active-vpn-gateways-for-both-azure-and-on-premises-networks
    https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-activeactive-rm-powershell

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.