![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 93%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,382 questions
Hello @Sean Dodd ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you would like to know how resiliency work in Azure active/active gateway.
As mentioned in the Azure VPN Highly Available documentation,
Every Azure VPN gateway consists of two instances in an active-standby configuration. For any planned maintenance or unplanned disruption that happens to the active instance, the standby instance would take over (failover) automatically and resume the S2S VPN or VNet-to-VNet connections.
In an active-active configuration, both instances of the gateway will remain active simultaneously. The traffic from your Azure virtual network to your on-premises network will be routed through both tunnels simultaneously, even if your on-premises VPN device may favor one tunnel over the other. When a planned maintenance or unplanned event happens to one gateway instance, the IPsec tunnel from that instance to your on-premises VPN device will be disconnected. The corresponding routes on your VPN devices should be removed or withdrawn automatically so that the traffic will be switched over to the other active IPsec tunnel (you can talk to your VPN device vendor on the automatic route removal/withdrawal options in your VPN device and configure it accordingly). On the Azure side, the switch over will happen automatically from the affected instance to the active instance.
Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/active-active-portal
Azure VPN gateways also supports Azure availability zones. Deploying gateways in Azure availability zones physically and logically separates gateways within a region, while protecting your on-premises network connectivity to Azure from zone-level failures.
Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/about-zone-redundant-vnet-gateways
I'm struggling to find out what happens when a zone becomes unavailable with an active/active gateway. With an active/active gateway during an availability zone outage, does the PIP from the failed zone move to the second gateway node along with the single VPN? Or do we just get a complete outage on them?
When a VPN Gateway is deployed in an Availability Zone, each zone has only 1 instance. If a zone fails, then connections on that instance will have to reconnect. This could be auto or manual depending on your configuration. This is same for both active-active and active-passive configurations. The only difference with active-active is the simultaneous traffic flow on both tunnels as both instances will be active at the same time.
And the failover time would be similar to what is mentioned in the Azure VPN gateway redundancy document.
For any planned maintenance or unplanned disruption that happens to the active instance, the standby instance would take over (failover) automatically and resume the S2S VPN or VNet-to-VNet connections. The switch over will cause a brief interruption. For planned maintenance, the connectivity should be restored within 10 to 15 seconds. For unplanned issues, the connection recovery is longer, about 1 to 3 minutes in the worst case. For P2S VPN client connections to the gateway, the P2S connections are disconnected, and the users need to reconnect from the client machines.
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.