How to simulate an instance down and how to simulate a local network gateway down in a VPN Gateway with Active/Standby configuration ?

Question

How to simulate an instance down and how to simulate a local network gateway down in a VPN Gateway with Active/Standby configuration ?

Quattrocchi, Calogero 275

Hi,

We have an Azure VPN Gateway route-based in a Active/standby configuration. We have two tunnels from AWS pointing to our VPN Gateway. This is working fine.

Now, we need to perform some tests.

We want to prove to our customer that the failover Active/Standby instance of the Azure VPN Gateway is automatic and we need to check how long does it take
We have one local network gateway (1st AWS tunnel) in the status connected and one local network gateway (2nd AWS tunnel) in the status connecting. We think this is the correct behavior because connection is successful. We would like now to simulate the crash of one AWS tunnel, i.e., the connected local network gateway and see the failover to the second AWS tunnel, i.e., the second local network gateway which is now in the status "connecting"

Can you please advice?

Many Thanks

Regards

KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2023-03-27T09:10:40.92+00:00

@Quattrocchi, Calogero

Reaching out to check if there are any questions on this.

Please let us know if we can be of any further assistance here.

Thanks,

Kapil

Please Accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer.

Accepted answer

0 additional answers

Your answer

KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2023-03-27T09:10:40.92+00:00

@Quattrocchi, Calogero

Reaching out to check if there are any questions on this.

Please let us know if we can be of any further assistance here.

Thanks,

Kapil

Please Accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer.

Answer 1

KapilAnanth-MSFT 49,536 Microsoft Employee Moderator

@Quattrocchi, Calogero

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to know if we can simulate the failover of one Tunnel in a Active-Standby setup with two tunnels to the 3rd Party Cloud.

So, I believe your set up should be something similar to this

User's image

Currently, there is no direct mechanism to failover from one active instance to the other.

However, you can do a Gateway Reset.

User's image

P.S : Be careful not to issue the command twice.

Doing so, the two reboots are requested back to back, there will be a slightly longer period where both VM instances (active and standby) are being rebooted. This will cause a longer gap on the VPN connectivity, up to 30 to 45 minutes for VMs to complete the reboots

Hope this helps :)

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Quattrocchi, Calogero 275 Reputation points

2023-03-20T12:46:42.01+00:00

@KapilAnanth-MSFT : many thanks for your clear answer to one of my two questions -)

the second question was:

We have one local network gateway (1st AWS tunnel) in the status connected and one local network gateway (2nd AWS tunnel) in the status connecting. We think this is the correct behavior because connection is successful. We would like now to simulate the crash of one AWS tunnel, i.e., the connected local network gateway and see the failover to the second AWS tunnel, i.e., the second local network gateway which is now in the status "connecting".

Thanks

Regards,
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2023-03-20T13:05:31.3066667+00:00
@Quattrocchi, Calogero

Active-Standby refers to the VPN Gateway instances, not the connection.

So, technically, you should have both the connections in a "connected" state

And for this to work, BGP is a requirement.

Maybe, lack of BGP configuration is the reason for one tunnel being in a "Connecting state".

While this may still work, this is not the ideal set up.

You technically have only one Connection from one active instance while the ideal setup has two active connections established from one active instance.

Nevertheless, you should still be able to failover from one instance to other.

The passive instance (which just got into active state) will establish two new connections and I believe one of them will be in connected state.

And we can't say which LNG would connect first (the latter will be stuck in connecting state)

P.S :

Azure does not have the concept of Active-standby connection. The failover refers to the VPN gateway instance and at all times, you are expected to have 2 "connected" connections as long as you have two LNGs

I would suggest you to check the BGP configurations at Azure end and 3rd party cloud end, to get this working.

Refer : Support multiple tunnels between a VNet and an on-premises site with automatic failover based on BGP

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Quattrocchi, Calogero 275 Reputation points

2023-03-20T13:19:38.8633333+00:00

Well, sorry my mistake. Both connections have the status "Connected".

But from the BGP Peers blade, we can see one with status "Connected" and one with status "Connecting".

So, if I understand you, we cannot simulate the fact that the second tunnel (BGP Peer status connecting) become the active tunnel?

Thanks
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2023-03-20T13:43:45.5766667+00:00
@Quattrocchi, Calogero

We can, but not directly via Portal or a setting in VPN Gateway.

This can be done by changing the IP to some dummy value in the LNG where the connection is established. (Identify this using the Peer address of the connected BGP session)

This way, the connection would fail and force the other BGP session to start advertising the routes.

I understand this is not a straight forward method, but this should help you simulate the failover nevertheless.

Feel free to let me know if you have further queries.

If not, request you to accept the answer and close this thread.

Cheers,

Kapil
Quattrocchi, Calogero 275 Reputation points

2023-03-20T14:28:25.2+00:00

Just to be 100% clear from my side.

Can we have both BGP Peers with the status "Connected" or we must have one BGP Peers with status "Connected" and one with status "Connecting"?

Thanks.
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2023-03-21T11:47:08.2133333+00:00

@Quattrocchi, Calogero,

Apologies for the delay, I was creating a similar environment in my Lab

I did a set up and I was able to bring both the BGP sessions up.

This indicates that while both of your IPSEC connections are connected, there is no BGP session in one of the IPSEC Connection.

Also, I can see both the BGP sessions are supposed to be in a connected state : Check your BGP peers status on Azure and AWS

I would suggest you to check from the 3rd party Cloud VPN Logs.

From Azure end, you can check Route Diagnostic Logs

Thanks,

Kapil

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer
Quattrocchi, Calogero 275 Reputation points

2023-03-21T14:47:20.82+00:00
Hi,

No worries.

In the article you shared https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-aws-bgp#architecture, the architecture is for one virtual network gateway with active-active and BGP enabled.

But in my case, I have active-passive instance on the VPN Gateway.

BTW, in the following article https://learn.microsoft.com/en-us/answers/questions/1063087/azure-vpn-to-aws-connected-but-no-bgp-peers-establ, it is mentioned:

A site-to-site connection on AWS has two tunnels, each with their own outside IP address and inside IPv4 CIDR (used for BGP APIPA). An active-passive VPN gateway only supports one custom BGP APIPA. You'll need to enable active-active on your Azure VPN gateway to connect to multiple AWS tunnels.

Thanks for feedback
Quattrocchi, Calogero 275 Reputation points

2023-03-22T13:47:09.46+00:00

Hi Kapil, did you have time to setup an active-passive configuration for the VPN Gateway?

Many thanks
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2023-03-23T12:36:13.92+00:00
@Quattrocchi, Calogero,

Greetings.

My Lab was using a active-passive configuration for the Azure VPN Gateway only and the BGP was up for both the connections

Further, I can guarantee that all the BGP sessions would be in connected state even if I enable active-active.

I would suggest you to check the Device logs at this point to understand as to why a single BGP session would be in a "Connecting state".

P.S :

My lab was using one Active-Passive VPN (Azure)

and one Active-Active Azure VPN (acting as AWS)

Cheers,

Kapil

Please Accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer.
Quattrocchi, Calogero 275 Reputation points

2023-03-23T15:09:08.5466667+00:00

Hi Kapil,

In the following screenshot, it is not APIPA IP address.

To communicate with AWS tunnel, we need APIPA IP address (range 169.254.21.0 to 169.254.22.255).

And the situation we are talking about is having APIPA IP as the inside BGP IP address.

According to the Microsoft article https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-aws-bgp:

"A site-to-site connection on AWS has two tunnels, each with their own outside IP address and inside IPv4 CIDR (used for BGP APIPA). An active-passive VPN gateway only supports one custom BGP APIPA. You'll need to enable active-active on your Azure VPN gateway to connect to multiple AWS tunnels."

I also had a discussion with AWS guy who says that you cannot have both tunnels connected as described in the Microsoft doc.

Thanks for your feedback
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2023-03-24T05:55:56.9166667+00:00

Hi @Quattrocchi, Calogero,

I was not aware of the fact BGP APIPA is mandatory for AWS VPN Tunnels.

Unfortunately, I will not be able to set up a Lab with AWS.

However, if you got the confirmation from AWS team, then I believe your environment is behaving as expected.

Should there be any follow-up questions or concerns, please let us know and I shall be glad to address them as always :)

If not, I request you to Accept this answer and close this thread.

Original posters help the community find answers faster by identifying the correct answer

Cheers,

Kapil
Quattrocchi, Calogero 275 Reputation points

2023-03-24T09:16:15.6433333+00:00

Hi,

Is it possible for you to check internally ?

And once again, I would like to interpret correctly the sentence coming from MS documentation

"A site-to-site connection on AWS has two tunnels, each with their own outside IP address and inside IPv4 CIDR (used for BGP APIPA). An active-passive VPN gateway only supports one custom BGP APIPA. You'll need to enable active-active on your Azure VPN gateway to connect to multiple AWS tunnels."

Thanks
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2023-03-24T10:13:27.23+00:00
Hi @Quattrocchi, Calogero,

Unfortunately, we will not have access to labs involving 3rd party Cloud.

And as a result, we will not be able to set up Labs.

If you are following the document, you can go ahead and set up a Active-Active Tunnel and see the results.

However, requiring multiple APIPA BGP address on Azure end looks more like a requirement from AWS side rather than on the Azure end.

What the document states is correct.

A Active-Passive VPN gateway in Azure supports only one APIPA BGP IP, where as a Active-Active supports multiple APIPA BGP IPs

Now, per the diagram, as you can see, each tunnel is established with a single APIPA IP and totally, we have four BGP APIPA IPs (from Azure end)

This also explains why we have only tunnel with "Connected" in case of Passive. This is because we have only one BGP APIPA IP for a Passive VPN Gateway.

So, technically, this seems to be an expected behavior only.

Cheers,

Kapil

If you feel our team members or the community have been providing right level of support and your scenario has got timely response, please Accept this answer and close this thread.

Share via

How to simulate an instance down and how to simulate a local network gateway down in a VPN Gateway with Active/Standby configuration ?

0 additional answers

Your answer