Search code examples
azurenetwork-programmingvpngatewayvnet

Q: Azure S2S VNet VPN with failover

I'm trying to setup a VPN connection from a VLAN in Azure to on-premise. We have two different ISP's on-premise and I want to setup Azure with a VPN connecting to both so that if the primary ISP is down Azure will try to connect using the secondary.

The problem is that I can't add two gateways to a single VLAN, and the one gateway will not let me add two VPN connection with the same IP address range. I can understand that if I wanted both to be active, but I want one to be standby and only used if the first disconnects.

Is this even possible? Any pointers would be great?

I have been looking at https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable#a-name--activeactiveonpremamultiple-on-premises-vpn-devices but that only covers active-active setup which is not what I want.

I want both VNET resouces and on-premise resources to reach each other via the same IP addresses no matter if it's the primary or secondary VPN that's connected.

I know that Azure has fail over on it's side via a standby gateway, but I want fail over when on-premise is down, not Azure.

Solution

  • Update

    I know that Azure has fail over on it's side via a standby gateway, but I want fail over when on-premise is down, not Azure.

    Unfortunately, there is not an auto solution for on-premise failover, you could manually perform, which is the same as If the on-premises gateway IP change need to update the same entry. You need to update the local network gateway (Including the On-premises gateway IP and private range ) on the Azure side and the ISP settings where VPN is connected on the on-premise side. Please expect some downtime, because IPSEC session of ISAKMP, PH1 and PH2 Will again take place.

    Besides, If you have more than one ISP and need a redundant connection to the Azure. Azure now supports redundant Site to Site VPNs.

    Support multiple tunnels between a VNet and an on-premises site with automatic failover based on BGP

    You can establish multiple connections between your Azure VNet and your on-premises VPN devices in the same location. This capability provides multiple tunnels (paths) between the two networks in an active-active configuration. If one of the tunnels is disconnected, the corresponding routes will be withdrawn via BGP and the traffic automatically shifts to the remaining tunnels.

    The following diagram shows a simple example of this highly available setup: enter image description here

    NOTE

    • BGP is supported on Azure VpnGw1, VpnGw2, VpnGw3, Standard and HighPerformance VPN gateways. Basic SKU is NOT supported.
    • BGP is supported on Route-Based VPN gateways only.