VPN Gateway Active Active Single Internet

Question

VPN Gateway Active Active Single Internet

Handian Sudianto 6,106

VPN active active mode like bow pic is applicable if we only have single internet connection in onprem side? Each connection from azure local network gateway can connected to single public ip address in the onprem?

User's image

Ganesh Patapati 7,155 Reputation points Microsoft External Staff Moderator

2025-04-02T13:13:03.4766667+00:00

Hello @Handian Sudianto

I hope this has been helpful!

please don’t forget to close the thread by clicking Accept the answer wherever the information provided helps you, as this can be beneficial to other community members.

1 answer

Your answer

Ganesh Patapati 7,155 Reputation points Microsoft External Staff Moderator

2025-04-02T13:13:03.4766667+00:00

Hello @Handian Sudianto

I hope this has been helpful!

please don’t forget to close the thread by clicking Accept the answer wherever the information provided helps you, as this can be beneficial to other community members.

Answer 1

Ganesh Patapati 7,155 Microsoft External Staff Moderator

@Handian Sudianto

Yes, you can configure an Azure VPN Gateway in active-active mode with a single on-premises internet connection and public IP.

However, on-premises device must terminate two IPsec tunnels from Azure's two VPN Gateway instances to the same on-premises public IP.

Here, BGP is recommended for dynamic routing and failover. The on-premises device must establish separate BGP sessions with both Azure gateways over the two tunnels.

While Azure's side is redundant, the on-premises internet connection remains a single point of failure. For full redundancy, consider adding a second on-premises ISP or failover link.

Topology should be as below.

Azure VPN Gateway (Active-Active)

VPN Instance 1: Public IP 1 → On-Prem Public IP (Tunnel 1)
VPN Instance 2: Public IP 2 → On-Prem Public IP (Tunnel 2)
On-Prem Device: Single public IP, two tunnels to Azure.

You can use Active-Active mode with a single internet connection on the on-premises side if you're on-premises VPN device can support handling multiple tunnels.

Each connection from Azure Local Network Gateway can connect to a single public IP on the on-premises side, but it is possible to have multiple tunnels over that single IP if the device supports it.

I hope this has been helpful!

If above is unclear and/or you are unsure about something add a comment below.

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how. Accepted answer

Ganesh Patapati 7,155 Reputation points Microsoft External Staff Moderator

2025-03-19T10:23:58.4333333+00:00

Hello @Handian Sudianto

Just checking in to see if the information was helpful. If you have any further updates on this issue, please feel free to post back.

I hope this has been helpful!

If above is unclear and/or you are unsure about something add a comment below.

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
Handian Sudianto 6,106 Reputation points

2025-03-19T16:02:22.6333333+00:00

Hi @Ganesh Patapati example my public ip is 1.1.1.1 then i create one local connection gateway from tunnel1 to the vpn gateway and this connection is established. When i make another local connection gateway and i put same public ip address 1.1.1.1 then associate to the the vpn gateway i get error that the ip address 1.1.1.1 is already used on previous local network gateway. So when we use single internet connection to connect to the azure vpn gateway, we must use 2 different public ip addres?
Ganesh Patapati 7,155 Reputation points Microsoft External Staff Moderator

2025-03-19T19:06:27.1566667+00:00

Hello Handian Sudianto

Thanks for the reply!

When you have a single IP address and ISP connection at an on-premises network, the VPN gateway will only allow a single connection with one local network gateway, though it will operate in active-active mode. Azure does not permit multiple connections to local network gateways with the same IP address because this can cause routing conflicts and network instability.

I did a Repro, and it resulted in the same error as shown below:

Recommended Approach

When you deploy a VPN gateway with active-active mode it will create two public IPs on azure side.

So, you have to create two VPN connections from the On-prems end.

On Azure end One VPN connection is enough to achieve this setup.

If above is unclear and/or you are unsure about something add a comment below.

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
Handian Sudianto 6,106 Reputation points

2025-03-20T08:49:50.4833333+00:00

hi @Ganesh Patapati

So for below topology we need 2 onprem public ip?

and need 4 onprem public ip if the topology in below pic?
Ganesh Patapati 7,155 Reputation points Microsoft External Staff Moderator

2025-03-20T13:11:20.65+00:00
Hello Handian Sudianto

For the below topology we need 1 Onprem Public IP, but two VPN connections are needed towards azure VPN gateway.

For the 2nd setup you need 2 On-prem Public IPs which needs 4 VPN connections towards azure.

If above is unclear and/or you are unsure about something add a comment below.

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
Handian Sudianto 6,106 Reputation points

2025-03-20T14:18:14.13+00:00

Hi..

Let we talk about below topology, you say this topology only need 1 Onprem Public IP.

Isn't below topology we need create 2 LNG? If we need 2 LNG this mean we need 2 onprem public IP, since if we use same onprem public IP we will get error. Am i right?
Ganesh Patapati 7,155 Reputation points Microsoft External Staff Moderator

2025-03-20T17:59:03.6433333+00:00

Hello Handian Sudianto

Yes, your assumptions are correct. If you have one on-prem public Ip then you will be able to create only One LNG. In case, if you need to create 2 LNG then you need to have 2 on-prem public IPs.

If above is unclear and/or you are unsure about something add a comment below.

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
Ganesh Patapati 7,155 Reputation points Microsoft External Staff Moderator

2025-03-21T08:57:38.4+00:00

Hello Handian Sudianto

If above is unclear and/or you are unsure about something add a comment below.

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
Ganesh Patapati 7,155 Reputation points Microsoft External Staff Moderator

2025-03-24T11:56:06.67+00:00

Hello Handian Sudianto

If above is unclear and/or you are unsure about something add a comment below.

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
Ganesh Patapati 7,155 Reputation points Microsoft External Staff Moderator

2025-04-02T13:12:45.7933333+00:00

Hello @Handian Sudianto

I hope this has been helpful!

please don’t forget to close the thread by clicking Accept the answer wherever the information provided helps you, as this can be beneficial to other community members.

Share via

VPN Gateway Active Active Single Internet

1 answer

Your answer