Multiple IPSec Site to Site

Handian Sudianto 2,016 Reputation points


We have 4 sites connected to same azure VPN gateway, we create 1 azure virtual gateway and 4 local connection contains each site subnet.
This work normally, but we not have redundant with this topology.
So what can we do to make the IPsec failover example if internet connection on Site-D is down, i want to re-reroute traffic to azure from site-D to Site-c or to another site, it's possible?
Every site have private link so they can communicate each other. How if we add all subnets (site-a until d) to each azure local connection, is this will make redundant?


Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
969 questions
0 comments No comments
{count} votes

Accepted answer
  1. KapilAnanth-MSFT 14,376 Reputation points Microsoft Employee

    Hi @Handian Sudianto ,

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
    I understand that you would like to have redundancy between VPN sites.

    This is possible with BGP.

    In the LNGs, you should only specify the IP Address of the Local Sites and leave the Address space empty.
    The BGP will automatically update the traffic selectors, i.e., address ranges between Azure and OnPrem site.

    • When a particular site goes down, let's say site A.
    • The VPN connection between VPN Gateway and site A will drop.
    • The connection between VPN Gateway and site B will still be intact.
    • Now, the site B should advertise the routes to site A via BGP to Azure VPN gateway.
    • Then, Azure will forward both site A traffic and site B traffic to site B (as it learns the route dynamically from BGP).
    • This configuration should be made from the OnPrem devices, to add or remove the routes from BGP.

    There is a more dynamic way to achieve this, without manually having to update BGP whenever a site goes down

    • You can use BGP path prepending.
    • Azure VPN gateway honors BGP path prepending. Visit this page
    • Your requirement is somewhat similar to Suboptimal routing from Microsoft to customer
    • The above document is written for ExpressRoute MS Peering, but you can take reference from here for your requirement.

    Hope this helps.



    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

0 additional answers

Sort by: Most helpful