I have set up a S2S connection in Azure with a route based Virtual Network Gateway (VPN) connected to two Local Network Gateways (On premise). I have configured the same static routes on both LGWs. So there are two connections VPN -> Connection 1 --> Primary LGW VPN -> Connection 2 --> Secondary LGW I was after an active-passive like this (but without the BGP requirement) as outlined here: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable I would of thought that only one connection would be up and the other would be down. Both are coming up and showing as "Connected" at the same time. Is that expected and ok? Thanks for helping me it's been quite a learning experience

Hello @Bret Hillier , Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well. I understand that you've up a S2S connection in Azure with a route based Virtual Network Gateway (VPN) connected to two Local Network Gateways (On premise) with the same static routes on both LGWs and both connections are showing as "Connected" at the same time. You would like to know if this is expected. Previously, it was not possible to create VPN connections with overlapping address ranges and it used to fail but this changed when VPN gateway started supporting NAT , and now you can create 2 connections with different LNG IP addresses and same address ranges on the same VPN gateway and both will show connected. But due to the overlapping address ranges, only one connection is used at a specific moment in time (even if both tunnels are UP at MM level) as the VPN gateway will only install one NEXT HOP for STATIC Routes for the on-prem ranges in its routing table. So, this setup is still active-standby and only one connection will work at one time. More information on this can be found in the below thread: https://learn.microsoft.com/en-us/answers/questions/582404/route-table-of-2-tunnels-between-azure-and-on-prem ( this thread discussion is back from 2021 when connection with same address ranges used to show disconnected, but the mechanism still remains the same ). However, it is always best to adhere to the guidelines mentioned in Azure public docs. You should use BGP in such setups as mentioned in the below doc: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable#multiple-on-premises-vpn-devices Kindly let us know if the above helps or you need further assistance on this issue. Please " Accept the answer " if the information helped you. This will help us and others in the community as well.

Routing between Azure Virtual Network Gateway and On Premise LGW

Accepted answer

GitaraniSharma-MSFT 48,111 Reputation points Microsoft Employee

2023-08-09T10:42:37.9633333+00:00

Hello @Bret Hillier ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you've up a S2S connection in Azure with a route based Virtual Network Gateway (VPN) connected to two Local Network Gateways (On premise) with the same static routes on both LGWs and both connections are showing as "Connected" at the same time. You would like to know if this is expected.

Previously, it was not possible to create VPN connections with overlapping address ranges and it used to fail but this changed when VPN gateway started supporting NAT, and now you can create 2 connections with different LNG IP addresses and same address ranges on the same VPN gateway and both will show connected.

But due to the overlapping address ranges, only one connection is used at a specific moment in time (even if both tunnels are UP at MM level) as the VPN gateway will only install one NEXT HOP for STATIC Routes for the on-prem ranges in its routing table.

So, this setup is still active-standby and only one connection will work at one time.

More information on this can be found in the below thread:

https://learn.microsoft.com/en-us/answers/questions/582404/route-table-of-2-tunnels-between-azure-and-on-prem (this thread discussion is back from 2021 when connection with same address ranges used to show disconnected, but the mechanism still remains the same).

However, it is always best to adhere to the guidelines mentioned in Azure public docs.

You should use BGP in such setups as mentioned in the below doc:

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable#multiple-on-premises-vpn-devices

Kindly let us know if the above helps or you need further assistance on this issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.

1 person found this answer helpful.
Joe Fulford 101 Reputation points Microsoft Employee

2023-08-09T16:34:59.7666667+00:00

Great response, without BGP this is definitely not Active-Active like you have said. @Bret Hillier , you have your answer here! 😊

Whilst you see two tunnels up, you will only route through one of them.

Bret Hillier 30 Reputation points

2023-08-09T23:23:53.48+00:00

Thank you for such a great answer. The only question I have is - my Virtual Network Gateway sku is VpnGW1 - so NAT is not supported. However both connections are showing as 'Connected' ?

GitaraniSharma-MSFT 48,111 Reputation points Microsoft Employee

2023-08-10T05:22:26.8566667+00:00

@Bret Hillier , yes NAT is only supported on the following SKUs: VpnGw2~5, VpnGw2AZ~5AZ.

But the support for creation of LNGs with overlapping address ranges was added as a whole in Azure to accommodate the use of NAT on few VPN gateway SKUs.

So irrespective of NAT, you are now able to create 2 connections with different LNG IP addresses and same address ranges on the same VPN gateway and both will show connected but only one connection is active/used at a specific moment in time.

Bret Hillier 30 Reputation points

2023-08-10T20:08:08.2066667+00:00

Thank you thank you Gitarani. You are a real treasure! I appreciate you taking the time to answer me. Bye from New Zealand :-)

GitaraniSharma-MSFT 48,111 Reputation points Microsoft Employee

2023-08-11T04:36:43.4833333+00:00

My pleasure @Bret Hillier . Happy to help!

Domenico Iandoli 5 Reputation points

2024-05-16T17:55:54.0133333+00:00

Hello @GitaraniSharma-MSFT ,

thanks for info. We are going to implement the same solution for two S2S VPNs for redundancy using, if possible, static routes, just to keep it simple. We need to move to Azure onprem workloads.

According to your comment, NAT support at VPN Gateway should allow this: could you please explane how it solve and how to configure NAT?

The two S2S VPNs are going to be used also for networks not in overlap: could we still use both connections at the same time? (of course for not overlapping addresses)

Are there some implementation guide available?

Many thanks

Domenico

GitaraniSharma-MSFT 48,111 Reputation points Microsoft Employee

2024-05-17T11:26:08.7966667+00:00

@Domenico Iandoli , I'm not sure if I understand your requirement clearly.

NAT on Azure VPN gateway supports connecting on-premises networks or branch offices to an Azure virtual network with overlapping IP addresses.

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/nat-overview

https://learn.microsoft.com/en-us/azure/vpn-gateway/nat-howto

If you don't have overlapping addresses scenario and would just like to add 2 different on-premises sites to a single VPN gateway, that doesn't require NAT.

Azure VPN Gateway supports multiple connections to various Local Network Gateways with different FQDNs, as long as each FQDN resolves to a unique IP address.

So, you should be able to create multiple connections to multiple on-premises sites (non-overlapping addresses) from a single VPN gateway as shown in the below document:

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/add-remove-site-to-site-connections

Regards,

Gita

Domenico Iandoli 5 Reputation points

2024-05-17T13:04:07.0266667+00:00

Hi @GitaraniSharma-MSFT ,

many thanks for fast answer.

Let me try to better explain our use cases. We have already a multisite connection. At the moment we do not have overlapping between site 1 and site 2, so NAT is not set, and everything is fine.

The figure shows the new scenario.

Then, we need to add workloads on Azure. These workloads have to reach other networks (red one), so they have to be added to VPNs. For redundancy these new networks have to be reachable via both VPN connections, so causing overlapping.

As far as I have understood, in case of overlapping (so no NAT set) just one is active for the overlapped addresses?

So, in the normal operation both sites are reachable:

·        “Networks site1” are reachable via site1 VPN.

·        “New networks” (overlapping) are reachable via site1 VPN (assume is the active one)?

·        Are “Networks site2” still reachable via site2 VPN?

If Site1 is down:

·        “Networks site1” are not reachable via site1 VPN (this is fine)

·        “New networks” (overlapping) are reachable via site2 VPN?

·        “Networks site2” are reachable via site2 VPN?

Are the above statements true?

Many thanks

Domenico

GitaraniSharma-MSFT 48,111 Reputation points Microsoft Employee

2024-05-28T13:06:35.01+00:00

@Domenico Iandoli ,

Azure VPN Gateway NAT supports connecting on-premises networks or branch offices to an Azure virtual network with overlapping IP addresses. But the above scenario that you shared doesn't say if the new network will have overlapping address with Azure. So, I'm assuming it doesn't and providing below answer.

The above diagram shows that the new networks will be connected to the existing site1 and site2, so if you are using static routes (without BGP), then you will be adding the new network address spaces to both site1 local network gateway and site2 local network gateway but that will not overlap address spaces with Azure as long as the new network is not using the same address space as the Azure Vnet, so NAT is not required.

But this setup is usually not recommended as overlapping address spaces between multiple connections can cause asymmetric routing.

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal#addconnect

To answer your questions below:

Normally, both sites are reachable:

"Networks site1" are reachable via site1 VPN. ---> Yes

"New networks" (overlapping) are reachable via site1 VPN (assume is the active one)? ---> No, there is no active one in this scenario as the 2 connections have different address spaces for site1 and site2 along with the new networks. Azure will have 2 available routes to reach the new networks. So, the connections in this case are separate and any one of the connections can be used when accessing new networks from Azure. No way to find out which will be used when.

Are "Networks site2" still reachable via site2 VPN? ---> Yes

If Site1 is down:

"Networks site1" are not reachable via site1 VPN (this is fine) ---> Yes

"New networks" (overlapping) are reachable via site2 VPN? ---> Yes, if site1 is down, then there is only one available route for the new networks, so it will be reachable via site2 VPN.

"Networks site2" are reachable via site2 VPN? ---> Yes

The best way to setup the above connection is to use BGP and configure AS path prepending to use one path over other when accessing the on-premises networks from Azure.

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#does-azure-vpn-gateway-honor-as-path-prepending-to-influence-routing-decisions-between-multiple-connections-to-my-on-premises-sites

Regards,

Gita

Domenico Iandoli 5 Reputation points

2024-05-28T13:57:38.2733333+00:00

Many thanks @GitaraniSharma-MSFT ,

Yes, sorry You are right, for overlapping I was referring to the use of the same route for both connections.

Everything is quite clear now.

Thanks,

Domenico
Sign in to comment

Share via

Routing between Azure Virtual Network Gateway and On Premise LGW

0 additional answers