S2S VPN Failover

Hasan Kerem Kumru 60 Reputation points
2024-03-26T07:08:57.4033333+00:00

I have two sql server in different resource groups and regions, one ofthem is primary and the other one is secondary and read-only until primary down. Also I have two vpn gateways and two local network gateways for s2s connection with on prem and the are in the same resource groups which is located in UK South and UK West. Regions have vnet peering between them. Now i want to configure vpn connections as a primary and secondary. When primary fails secondary becomes primary. How can i configure them on azure? Is bgp solve it? Or how can i configure them for failover?

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,380 questions
0 comments
Accepted answer
  1. GitaraniSharma-MSFT 47,421 Reputation points Microsoft Employee
    2024-03-26T11:53:07.34+00:00

    Hello @Hasan Kerem Kumru ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you have two Azure VPN gateways in 2 different regions and two local network gateways for S2S VPN connection with your on-premises site and would like to know how to configure failover between the connections.

    Every Azure VPN gateway consists of two instances in an active-standby configuration. For any planned maintenance or unplanned disruption that happens to the active instance, the standby instance would take over (failover) automatically and resume the S2S VPN or VNet-to-VNet connections.

    You can also create an Azure VPN gateway in an active-active configuration, where both instances of the gateway will remain active simultaneously. When a planned maintenance or unplanned event happens to one gateway instance, the IPsec tunnel from that instance to your on-premises VPN device will be disconnected. The corresponding routes on your VPN devices should be removed or withdrawn automatically so that the traffic will be switched over to the other active IPsec tunnel. On the Azure side, the switch over will happen automatically from the affected instance to the active instance.

    Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable

    Azure VPN gateways also supports Azure availability zones. Deploying gateways in Azure availability zones physically and logically separates gateways within a region, while protecting your on-premises network connectivity to Azure from zone-level failures.

    Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/about-zone-redundant-vnet-gateways

    So, if you are using a single on-premises VPN device, then my suggestion is to create an Active-Active Tunnel (from OnPrem) to both the Azure sites simultaneously and use BGP to prefer one Tunnel over the other.

    • You can use BGP path prepending for influencing the path selection.
    • Azure VPN gateway honors BGP path prepending. Visit this page

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marcin Policht 10,675 Reputation points MVP
    2024-03-26T11:43:19.2033333+00:00

    Correct. If you have two distinct site-to-site VPN connections between Azure regions and their respective on-prem locations (and, effectively, two Azure virtual network gateways), you would use BGP to route traffic from on-premises from the on-prem locations and drive the failover

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin