Multiple S2S VPN Tunnels Between One Azure VPN Gateway (Active-Standby Mode) and Multiple OnPrem VPN Devices via BGP for Redundancy

David Ibrahim 5 Reputation points
2023-03-29T22:21:41.2633333+00:00

Can one (1) Azure VPN Gateway in Active-Standby mode connect two (2) S2S VPN tunnels to 2 different on-prem data centers (DC & DR)? What I have observed is that once I have one S2S VPN tunnel working (via BGP and APIPA as BGP peer IP), for some reason that I do not understand, I cannot get a second S2S VPN tunnel to work (via BGP and APIPA as BGP peer IP).

Am I missing something, please? My traditional network/security experience allows me to terminate multiple S2S VPN tunnels using one public IP address on one VPN device. Is the Azure concept different? If it is, kindly point me in the right direction.

I have read about Azure VPN Gateway in Active-Active mode but based on my understanding, that is like creating 4 VPN tunnels in my own scenario which we do not need. I just need my DC and DR to have one VPN tunnel each to the same public IP address on the Azure VPN Gateway, then I can use BGP to manage advertised and received prefixes. Or is it a must to use Azure VPN Gateway (in Active-Active mode) to achieve what I want?

Thanks.

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,404 questions
0 comments No comments
{count} vote

4 answers

Sort by: Most helpful
  1. GitaraniSharma-MSFT 48,011 Reputation points Microsoft Employee
    2023-04-03T15:49:25.6433333+00:00

    Hello @David Ibrahim ,

    Apologies for the delay in response.

    I understand that you would like to know if one Azure VPN Gateway in Active-Standby mode can connect to multiple on-prem VPN Devices via BGP for Redundancy.

    Yes, you one Azure VPN Gateway in Active-Standby mode can connect to multiple on-prem VPN Devices via BGP for Redundancy as shown in the below document:

    https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable#multiple-on-premises-vpn-devices

    User's image

    But you are also using APIPA BGP IP.

    Specifying multiple APIPA addresses is only possible when active-active configuration is enabled on your Azure VPN gateway.

    As you rightly mentioned, an active-passive VPN gateway will only support one custom BGP APIPA.

    Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-aws-bgp#architecture

    If you use active-passive mode on Azure VPN gateway, then only the primary connection/gateway instance will be the owner of the Azure APIPA IP. And hence you will see one tunnel connected and the other in connecting status. This is expected.

    The active-passive mode with multiple on-prem devices is possible with BGP but not over custom APIPA BGP IP addresses. APIPA BGP method requires active-active mode.

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    2 people found this answer helpful.

  2. Erkan Sahin 830 Reputation points
    2023-03-29T22:54:02.7966667+00:00

    In Azure, you can achieve your desired Site-to-Site (S2S) VPN configuration using an Azure VPN Gateway in Active-Standby mode. You can create multiple S2S VPN tunnels from a single Azure VPN Gateway to multiple on-premises VPN devices.

    Here's an outline of the steps to set up multiple S2S VPN tunnels with BGP:

    1. Create an Azure Virtual Network (VNet) and a subnet for the Azure VPN Gateway.
    2. Deploy an Azure VPN Gateway in the VNet with the Active-Standby mode.
    3. Set up your Local Network Gateway resources in Azure, representing your on-premises VPN devices (one for each data center, DC and DR).
    4. Create a Connection resource in Azure for each Local Network Gateway, associating them with your Azure VPN Gateway.
    5. Configure your on-premises VPN devices with the appropriate settings, including BGP and APIPA.
    6. Establish the VPN tunnels and ensure that BGP sessions are set up correctly.

    It's essential to ensure that your VPN tunnels and BGP sessions are configured correctly.

    1 person found this answer helpful.

  3. Ramirez, Eduardo 5 Reputation points
    2023-10-27T05:58:15.45+00:00

    I have the same scenario , but I want to have both tunnels on active/active from Azuere to a single On-prem device firewall but there is no way to specify second APIPA bgp peering ip on the Local Neemtwork Connection so then how the secondary tunnel comes up as backup ???

    1 person found this answer helpful.

  4. Lucas Kartawidjaja 0 Reputation points
    2023-05-15T13:39:45.0633333+00:00

    @David Ibrahim & @GitaraniSharma-MSFT , I was also experiencing the same behavior. We are trying to using the active-standby Azure VPN Gateway to connect to multiple on-premise gateway via BGP. For a while seems that it can only have one active connection,

    But suddenly last Friday (May 12th, 2023), it seems that now the Azure VPN Gateway that is in active-standby mode can have 2 active BGP connections. Not sure if you also experience the same? I tried to look in Microsoft Azure updates (https://azure.microsoft.com/en-us/updates) to see if there is any new release/update, but not seeing anything new pertaining to Azure VPN Gateway (Active-Standby) and multiple BGP peering. Kinda interested to know if this is a new update from Microsoft Azure and if yes, if it is already in General Availability, instead of Preview. Hoping that it is in General Availability.

    0 comments No comments