Regarding fault tolerance and disaster recovery on S2S VPN

Khushboo Kumari 97

Hi,

I am using site to site VPN connection to connect the on-prem. In this case what are the options for fault tolerance and disaster recovery on S2S VPN? As I have gone through the document and I found we have default active-passive mode or we can configure active-active mode. So is there any other method for fault tolerance and disaster recovery on S2S VPN? and how can we verify these practically?

Thanks!

KapilAnanth-MSFT 37,406 Reputation points Microsoft Employee

2023-08-08T05:11:08.6833333+00:00

@Khushboo Kumari

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks,

Kapil
KapilAnanth-MSFT 37,406 Reputation points Microsoft Employee

2023-08-09T04:58:27.54+00:00

@Khushboo Kumari

Reaching out to check if there are any questions on this.

Please let us know if we can be of any further assistance here.

Thanks,

Kapil

Please Accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer.
KapilAnanth-MSFT 37,406 Reputation points Microsoft Employee

2023-08-11T04:20:42.6966667+00:00

@Khushboo Kumari

Could you please provide an update on this post?

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Ivan Kuzmanov 0 Reputation points

2024-05-13T09:16:48.59+00:00

Hi @KapilAnanth-MSFT ,

Regarding "**For Region wide disaster".
**
What other prerequisites should we consider except from the VMs and Vnets, for example public ip for the second vng, also the connections should we create different ones beforehand or should we wait for a disaster and then recreate the same exact connections and local gateways?

Thank you in advance,
Ivan
KapilAnanth-MSFT 37,406 Reputation points Microsoft Employee

2024-05-13T09:39:01.26+00:00

Ivan Kuzmanov,

The decision is upto the customer.

You must note that a VNET Gateway takes upto 40 minutes to deploy.

So if you were to deploy the gateway post disaster, you must make sure of your business continuity as it would sustain a downtime.

However, if the gateway already exists, the downtime would be reduced.

The documents suggest that you use an existing VPN Gateway and just create the connection post disaster.

Cheers,

Kapil

1 answer

KapilAnanth-MSFT 37,406 Reputation points Microsoft Employee

2023-08-07T10:48:44.9833333+00:00
@Khushboo Kumari

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to know the best practices for Disaster Recovery in case of a Site-to-Site connection.

For Platform Failure,

As you mentioned, we can have an Active Active configuration

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable#dual-redundancy-active-active-vpn-gateways-for-both-azure-and-on-premises-networks

This can create upto 4 Tunnels and you will still have 2 tunnels if an instance goes down.

For Zone wise disaster,

We have to use Zone redundant VPN Gateways

Refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/about-zone-redundant-vnet-gateways

For Region wide disaster:

You must note that if a region fails, so does the VM(s) and VNET(s) in that region

You must use Azure Site Recovery

The idea here is to have a VNET and VPN Gateway in recovery region readily configured.

Just not connect the Gateway to your OnPREM servers.

Refer : https://learn.microsoft.com/en-us/azure/site-recovery/site-recovery-retain-ip-azure-vm-failover#hybrid-resources-full-failover

Before Failover:

Then you should migrate your VMs to the recovery VNET First - this is taken care by ASR

Set up disaster recovery to a secondary Azure region for an Azure VM : https://learn.microsoft.com/en-us/azure/site-recovery/azure-to-azure-quickstart

Then create and enable the connections in the VPN Gateway

After Failover:

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Please sign in to rate this answer.
Khushboo Kumari 97 Reputation points

2023-08-07T11:54:23.5566667+00:00

Hi @KapilAnanth-MSFT ,

Thanks for the information. I want to know more about the active-active configuration. I want to test it on our tenant. So, in Azure, we just have to enable the active mode. I want to know what changes are required in on-prem?

KapilAnanth-MSFT 37,406 Reputation points Microsoft Employee

2023-08-07T13:26:31.43+00:00

@Khushboo Kumari,

You can refer this : https://learn.microsoft.com/en-us/azure/vpn-gateway/active-active-portal

From Azure End, you just have to enable it from Configuration page.

For OnPrem,

You should have another secondary IP (preferably with another ISP)

One more VPN Device (or the same device as long as it's capable of establishing connections to Azure VPN Gateway using the secondary IP)

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable#dual-redundancy-active-active-vpn-gateways-for-both-azure-and-on-premises-networks

Cheers,

Kapil

Khushboo Kumari 97 Reputation points

2023-08-16T05:07:50.9033333+00:00

Hi,

For Region wide disaster: as mentioned the above solution, is it work for windows 365 cloud PCs?

KapilAnanth-MSFT 37,406 Reputation points Microsoft Employee

2023-08-16T09:48:19.34+00:00

@Khushboo Kumari,

With Microsoft-hosted network option, VNETs are Managed and you will not be able to configure any VPN Gateways.

With Azure Network Connection option , you have the ability to manage the VNET from a customer subscription.

For this, Active-Active configuration should work

However, please refer to the for Region wide disaster recovery for Windows 365 here : https://learn.microsoft.com/en-us/windows-365/enterprise/business-continuity-disaster-recovery

Request you to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread

Cheers,

Kapil.

Khushboo Kumari 97 Reputation points

2023-08-18T11:42:13.8733333+00:00

Hi @KapilAnanth-MSFT ,

In W365 cloud pc, we are using hybrid azure ad option not the Microsoft-hosted network option. So is it work on that case? if yes how can we replicate the scenarios?

Thanks!

KapilAnanth-MSFT 37,406 Reputation points Microsoft Employee

2023-08-19T12:25:56.43+00:00

@Khushboo Kumari,

I am afraid I cannot comment on the behavior of Cloud PCs.

I can provide you more information on the VPN Gateway and redundancy associated with it.

Since your case does not use a VPN Gateway, I would suggest you to post a new thread with only "Windows 365" tags and not "Azure VPN Gateway" so that experts on Cloud PCs will be able to provide their insights.

Cheers,

Kapil.

Request you to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread

Khushboo Kumari 97 Reputation points

2023-09-10T16:33:33.9633333+00:00

Hi @KapilAnanth-MSFT ,

thanks for the information. I want to know in simple terms about the active-active vpn configuration traffic, like how the traffic follow and distribute when both tunnels are healthy and when one healthy. I found this in ms article , can you please tell me in a simple terms?

"Because the Azure gateway instances are in active-active configuration, the traffic from your Azure virtual network to your on-premises network will be routed through both tunnels simultaneously, even if your on-premises VPN device may favor one tunnel over the other. For a single TCP or UDP flow, Azure attempts to use the same tunnel when sending packets to your on-premises network. However, your on-premises network could use a different tunnel to send packets to Azure."

KapilAnanth-MSFT 37,406 Reputation points Microsoft Employee

2023-09-11T10:28:29.08+00:00

@Khushboo Kumari,

In simple terms,

1.When only one Tunnel is healthy,

Azure sends traffic via this healthy tunnel only

2.When both tunnels are healthy,

Azure sends traffic via both the tunnels.

The load is distributed across the tunnels using ECMP.

Azure guarantees that for a single flow (between a VM in Azure and OnPrem server) uses the same tunnel it chose initially until this flow ends.

What the highlighted part says is that your OnPREM can use both the tunnel simultaneously for a single flow

You must configure your OnPREM to not do this and stick to a tunnel for a single flow.

Cheers,

Kapil
Sign in to comment

Share via

Regarding fault tolerance and disaster recovery on S2S VPN

1 answer