I would like to send TCP traffic from a Virtual Machine through my primary VPN connection and when it fails go to the Secondary VPN connection but I can not find a failover/load balancer that has that flow for internal non web-application. Any ideas of what could be used? For external IP resources the Traffic Manager works great, but doesn't allow internal flow.

@Patrick Thank you! To do this, you would need a different approach than using a load balancer. I would suggest implementing a BGP based VPN for both Site A and site B and advertising the same prefixes for both sites. Now, If a site goes offline, ideally the route should be withdrawn from the routing table on the Azure side within a few seconds and the active site should take over. Once the offline site comes back, the routing should go back to the primary site. This can be done by using BGP Parameters such as ASN number, weight etc., Here is a document on Azure that talks about the above i.e., Redundancy when using Multiple on-premises VPN devices. Hope this helps. Please let us know if you have any further questions and we will be glad to assist you further. Thank you! Remember: Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how . Want a reminder to come back and check responses? Here is how to subscribe to a notification.

Is there a Traffic Manager type solution for internal TCP resources, other then HTTP(S)

Accepted answer

SaiKishor-MSFT 17,181 Reputation points

2021-10-19T19:46:41.01+00:00

@Patrick Thank you! To do this, you would need a different approach than using a load balancer. I would suggest implementing a BGP based VPN for both Site A and site B and advertising the same prefixes for both sites.

Now, If a site goes offline, ideally the route should be withdrawn from the routing table on the Azure side within a few seconds and the active site should take over. Once the offline site comes back, the routing should go back to the primary site. This can be done by using BGP Parameters such as ASN number, weight etc.,

Here is a document on Azure that talks about the above i.e., Redundancy when using Multiple on-premises VPN devices. Hope this helps.

Please let us know if you have any further questions and we will be glad to assist you further. Thank you!

Remember:

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Want a reminder to come back and check responses? Here is how to subscribe to a notification.
Please sign in to rate this answer.
Patrick 21 Reputation points

2021-10-19T19:56:05.42+00:00

I was afraid that was going to be the answer as I couldn't find any other way. I tried setting up a BGP based VPN but I can't figure out how to get Azure VPN connections to advertise the routes. Currently I just put static routes into the firewalls and it will connect to both, but thats not what I want. I'm missing one simple step somewhere regarding advertising the routes.

Thanks again!

SaiKishor-MSFT 17,181 Reputation points

2021-10-19T20:30:49.16+00:00

@Patrick Once the VPN is up, BGP should be in established state which will then populate the routes automatically into your on-premise Firewall. Please make sure that BGP is in "established" state. If possible please share the BGP state details here so I can assist better. Thank you!

Patrick 21 Reputation points

2021-10-20T04:33:34.373+00:00

I did finally get the BGP Peers to both show connected, but the Azure VM is talking ok through the secondary site when it should be on the primary.

SaiKishor-MSFT 17,181 Reputation points

2021-10-20T07:27:48.177+00:00

@Patrick Glad you got it working. It could be due to better routes advertised via the secondary site vs the primary site. Can you check the advertised routes from Fortigate to Azure on both sites to compare the same?

If possible, please share the details- Here is the command to to give on the Fortigate to show the advertised routes to Azure:

get router info bgp neighbors <neighbor IP> advertised-routes

Hope this helps. Please let us know if you need any further assistance. Thank you!

Patrick 21 Reputation points

2021-10-20T19:18:45.073+00:00

I get them all connected and it seems to be working but I'm missing how I make the Primary A site the preferred route. The VM network I'm connecting from is the 10.10.0.0/22 Network and I'm connecting to my on Premise network 192.168.5.0/24. The 6167 10.0.0.0/24 Network is BGP to another service that is running correctly.

SaiKishor-MSFT 17,181 Reputation points

2021-10-21T17:56:37.1+00:00

@Patrick Looking at your routing info, I see that 10.10.0.0/22 network is being re-advertised from Site A to Site B and then to Azure once again. This will create routing loops. Can you stop advertising this network from Site A to Site B?

Regarding the preference between the sites, you must use Equal-cost multi-path routing (ECMP) and the traffic will be forwarded through these tunnels simultaneously. If one of the tunnels go down, traffic will automatically flow through the other thus providing Failover.

If you see traffic passing through both tunnels(Msgs Recvd/sent incrementing on both the tunnels), that means ECMP is being used.

Hope this helps. Please let me know if you need any further assistance. Thank you!

SaiKishor-MSFT 17,181 Reputation points

2021-10-27T12:03:36.557+00:00

@Patrick Any update?
Sign in to comment

Is there a Traffic Manager type solution for internal TCP resources, other then HTTP(S)

0 additional answers