VPN Failover

Question

VPN Failover

Handian Sudianto 5,961

Hello,

Here my current topology with details :

Traffic from Internal LAN HO to azure vnet-1 (subnet 10.201.0.0/16) will be passing thru VGW-1 using INTERNET-1 directly
Traffic from Internal LAN Branch to azure vnet-1 (subnet 10.201.0.0/16) will be passing HO via WAN then to VGW-1 using INTERNET-1
Traffic from Internal LAN HO to azure vnet-2 (subnet 172.16.0.0/16) will be passing thru VGW-2 using INTERNET-1 directly
Traffic from Internal LAN Branch to azure vnet-2 (subnet 172.16.0.0/16) will be passing thru VGW-2 using INTERNET-2 directly
VNET-1 and VNET-2 have peering

My question :

When INTERNET-1 down, all traffic from HO and Branch to VNET-1 10.201.0.0/16 will be dropped, with this topology how we can make an failover? When Internet-1 down can we route traffic to VNET-1 to VGW-2 -> VNET-2 then to VNET-1 (from Branch Side)?

User's image

GitaraniSharma-MSFT 49,881 Reputation points Microsoft Employee

2023-08-14T14:08:02.73+00:00

Hello @Handian Sudianto ,

Apologies for the delay in response.

The network topology provided by you doesn't seem very clear.

Also, it is difficult to advise on how the routing from your on-premises to Azure will failover. This completely depends on how your on-premises devices are setup/configured.

But I would like to ask if BGP is enabled on your topology?

For the routing from Azure to on-premises, I can provide the below information:

Putting your above topology aside, if there are 2 Azure VPN connections to Azure from your on-premises, then using BGP AS path prepending, you can influence routing decisions between the connections to your on-premises. And you can also achieve automatic failover by advertising the same routes on both connections with different lengths of AS paths.

Azure VPN gateway will honor AS Path prepending to help make routing decisions when BGP is enabled. A shorter AS Path will be preferred in BGP path selection.

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#does-azure-vpn-gateway-honor-as-path-prepending-to-influence-routing-decisions-between-multiple-connections-to-my-on-premises-sites

There is no official document for Azure VPN with AS path prepending setup, but you can refer the below docs which talk about AS path prepending for more information:

https://learn.microsoft.com/en-us/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#as-path-prepend

https://learn.microsoft.com/en-us/azure/expressroute/expressroute-optimize-routing#solution-use-as-path-prepending

https://learn.microsoft.com/en-us/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering#high-availability-without-asymmetricity

Regards,

Gita
GitaraniSharma-MSFT 49,881 Reputation points Microsoft Employee

2023-08-21T06:20:07.01+00:00

@Handian Sudianto , Could you please provide an update on this post?

Your answer

GitaraniSharma-MSFT 49,881 Reputation points Microsoft Employee

2023-08-14T14:08:02.73+00:00

Hello @Handian Sudianto ,

Apologies for the delay in response.

The network topology provided by you doesn't seem very clear.

Also, it is difficult to advise on how the routing from your on-premises to Azure will failover. This completely depends on how your on-premises devices are setup/configured.

But I would like to ask if BGP is enabled on your topology?

For the routing from Azure to on-premises, I can provide the below information:

Putting your above topology aside, if there are 2 Azure VPN connections to Azure from your on-premises, then using BGP AS path prepending, you can influence routing decisions between the connections to your on-premises. And you can also achieve automatic failover by advertising the same routes on both connections with different lengths of AS paths.

Azure VPN gateway will honor AS Path prepending to help make routing decisions when BGP is enabled. A shorter AS Path will be preferred in BGP path selection.

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#does-azure-vpn-gateway-honor-as-path-prepending-to-influence-routing-decisions-between-multiple-connections-to-my-on-premises-sites

There is no official document for Azure VPN with AS path prepending setup, but you can refer the below docs which talk about AS path prepending for more information:

https://learn.microsoft.com/en-us/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#as-path-prepend

https://learn.microsoft.com/en-us/azure/expressroute/expressroute-optimize-routing#solution-use-as-path-prepending

https://learn.microsoft.com/en-us/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering#high-availability-without-asymmetricity

Regards,

Gita
GitaraniSharma-MSFT 49,881 Reputation points Microsoft Employee

2023-08-21T06:20:07.01+00:00

@Handian Sudianto , Could you please provide an update on this post?

Share via

VPN Failover

Your answer