Yes, you can configure an Azure VPN Gateway in active-active mode with a single on-premises internet connection and public IP.
However, on-premises device must terminate two IPsec tunnels from Azure's two VPN Gateway instances to the same on-premises public IP.
Here, BGP is recommended for dynamic routing and failover. The on-premises device must establish separate BGP sessions with both Azure gateways over the two tunnels.
While Azure's side is redundant, the on-premises internet connection remains a single point of failure. For full redundancy, consider adding a second on-premises ISP or failover link.
Topology should be as below.
Azure VPN Gateway (Active-Active)
- VPN Instance 1: Public IP 1 → On-Prem Public IP (Tunnel 1)
- VPN Instance 2: Public IP 2 → On-Prem Public IP (Tunnel 2)
- On-Prem Device: Single public IP, two tunnels to Azure.
You can use Active-Active mode with a single internet connection on the on-premises side if you're on-premises VPN device can support handling multiple tunnels.
Each connection from Azure Local Network Gateway can connect to a single public IP on the on-premises side, but it is possible to have multiple tunnels over that single IP if the device supports it.
I hope this has been helpful!
If above is unclear and/or you are unsure about something add a comment below.
Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.