I'm working with a supplier to implement Active/Active Site-to-Site IPSec tunnels to two different regions in the same geography. The supplier is using Palo Alto firewalls.
We've managed to establish both tunnels just fine - IKE and IPSec parameters are configured correctly and I can route bidirectionally between Azure and the supplier premises.
Now we're trying to get the route preferences configured so that if the primary tunnel goes down then traffic will automatically be sent over the second tunnel to the second region.
The supplier has requested that we use APIPA addresses for probing whether the tunnels are up are not. No problem, Azure supports APIPA addresses for BGP - but do they respond to ICMP?
What I'm not clear on - despite reading all the MS documentation - is whether the APIPA address configured in the VPN Gateway resource BGP settings is the receiver address or the neighbor address. I'm assuming it's the receiver, and the peer address is configured in the BGP settings of the Local Network Gateway. Correct me if this isn't correct.
The Microsoft documentation says:
Azure VPN Gateway will choose the custom APIPA address if the corresponding local network gateway resource (on-premises network) has an APIPA address as the BGP peer IP.
Does this suggest I can leave the VPN Gateway APIPA empty and Azure will choose one for me? If so, this could be a problem, since the supplier has to specify 2 x /30 address spaces, one for each tunnel and is depending on Azure having a specific address, and the Palo Alto having a specific one. I guess this means I need to configure the address in the VPN first, then configure the peer address in the local gateway?
Aside from that, the supplier only wants to use these addresses for probing by pinging them. I've created BGP configurations in ExpressRoute circuits and can confirm the B-End (Azure) BGP neighbor addresses do respond to ICMP Echo, but I do believe that is only once a successful BGP session has been established.
So my question is, is it possible to specify in an Azure VPN Resource, for example, an APIPA address of 169.254.21.2, a peer address of 169.254.21.1, and without an actual BGP session being established get a ping response from 169.254.21.2. I know it should have TCP 179 open for BGP establishment, but I don't think the Palo Altos can do a port test instead of ping.
I checked with the Azure VPN Product Group team and below is their response on this query:
While Azure VPN gateways allow specific APIPA addresses for each VPN instance, we cannot utilize a prefix-based approach (/30 with fixed allocation). We are looking into allowing more APIPA addresses on the Azure VPN side to workaround this constraint. But we are still in the design phase right now.
At present, the VPN gateway will initiate BGP peering sessions to the on-premises BGP peer IP addresses specified in the local network gateway resources using the private IP addresses on the VPN gateways. This is irrespective of whether the on-premises BGP IP addresses are in the APIPA range or regular private IP addresses.
We can have multi APIPA (support in-works) created and configured on the gateway without actually have the BGP peers connected but the requirement for Ping is something that we do not support/recommend.