OnPrem VPN redundancy ASA VPN

Glenn Thomas 26 Reputation points
2022-02-23T01:03:09.923+00:00

Im just looking for some help with deciding the best solution for a customer of ours. Today they have 2 locations with ASA Firewalls.

We will be deploying remote desktops in Azure. We want all traffic to traverse our primary VPN to Site A only, and if the VPN breaks there we want traffic to automatically failover to our Site B.

Site A and Site B have different subnets but do have connectivity between locations for additional redundancy. So the idea here would be if Site A Azure VPN tunnel went down, it would connect to Site B VPN as backup and then backhaul across the backup link from Site B to Site A across our L2 link.

From what Im reading here this may be our best solution?
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable#highly-available-cross-premises

But what I don't like is it wants to do ECMP, and I do not want that. I simply want a primary and a backup from Azure. Primary being Site A and backup being Site B.

Am I missing that you can't do this? I want to do route-policy based VPN with BGP. Can I not set BGP to be less preferred as its received into Azure?

Is there another solution that more closely fits my need?

176910-image.png

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,508 questions
0 comments No comments
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 49,461 Reputation points Microsoft Employee
    2022-02-23T10:49:02.727+00:00

    Hello @Glenn Thomas ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    Yes, the best solution is to create multiple S2S VPN connections from your VPN devices to Azure with BGP enabled as advised in the below doc:
    https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable#multiple-on-premises-vpn-devices

    ECMP is mentioned for highly available configurations. But you can use AS path prepend to configure a primary-backup setup as below:

    177164-image.png

    Azure VPN gateway will honor AS Path prepending to help make routing decisions when BGP is enabled. A shorter AS Path will be preferred in BGP path selection.
    Reference : https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#does-azure-vpn-gateway-honor-as-path-prepending-to-influence-routing-decisions-between-multiple-connections-to-my-on-premises-sites

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.