question

MandarKulkarni-4816 avatar image
0 Votes"
MandarKulkarni-4816 asked GitaraniSharmaMSFT-4262 commented

Redudandant VPN between On prem and Azure Site To Site.

We are looking to build Redundant VPN between On Prem Firewall and Azure through site to site VPN.

On firewall side we have single IP shared on both both firewalls so redundancy is achieved there, need more understanding on azure side.

why to go for Active-active Azure VPN gateway ? if Azure VPN gateway itself offer redundancy is my basic question ?

As we cannot control traffic coming from Azure in Active Active , how to tackle with Asymmetric issue ?

BGP really Required for Active Active Model ?

Ikev1 or Ikev2 ? Any specific reason to go for IKEV2 ?

Thanks for help in advance.

azure-virtual-networkazure-vpn-gateway
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @MandarKulkarni-4816 ,

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks,
Gita

0 Votes 0 ·

Hello @MandarKulkarni-4816 ,

Could you please provide an update on this post?

Kindly let us know if the above helps or you need further assistance on this issue.


Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

0 Votes 0 ·

Hello @MandarKulkarni-4816 ,

Could you please provide an update on this post?

Thanks,
Gita

0 Votes 0 ·

1 Answer

GitaraniSharmaMSFT-4262 avatar image
0 Votes"
GitaraniSharmaMSFT-4262 answered

Hello @MandarKulkarni-4816 ,

Every Azure VPN gateway consists of two instances in an active-standby configuration. For any planned maintenance or unplanned disruption that happens to the active instance, the standby instance would take over (failover) automatically, and resume the S2S VPN connections.

If you create an Azure VPN gateway in an active-active configuration, both instances of the gateway VMs will establish S2S VPN tunnels to your on-premises VPN device. In this configuration, each Azure gateway instance will have a unique public IP address, and each will establish an IPsec/IKE S2S VPN tunnel to your on-premises VPN device specified in your local network gateway and connection. Note that both VPN tunnels are actually part of the same connection. You will still need to configure your on-premises VPN device to accept or establish two S2S VPN tunnels to those two Azure VPN gateway public IP addresses. Because the Azure gateway instances are in active-active configuration, the traffic from your Azure virtual network to your on-premises network will be routed through both tunnels simultaneously, even if your on-premises VPN device may favor one tunnel over the other.

When a planned maintenance or unplanned event happens to one gateway instance, the IPsec tunnel from that instance to your on-premises VPN device will be disconnected. The corresponding routes on your VPN devices should be removed or withdrawn automatically so that the traffic will be switched over to the other active IPsec tunnel. On the Azure side, the switch over will happen automatically from the affected instance to the active instance.

Is BGP really required for Active-Active Model? - The answer depends on your setup as there are 3 Highly Available configuration options as below:

1) If you want to use multiple VPN devices from your on-premises network to connect to your Azure VPN gateway, BGP is required for this configuration.

2) If you just want to create an Azure VPN gateway in an active-active configuration, where both instances of the gateway VMs will establish S2S VPN tunnels to your single on-premises VPN device, BGP is not required for this configuration.
For this configuration, you just have to keep the Enable active-active mode: Enabled in your VPN gateway.
The active-active mode is available for all SKUs except Basic.

3) If you want to combine the active-active gateways on both your network and Azure for Dual-redundancy, BGP is required for this configuration.

Please refer below articles for more information:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-activeactive-rm-powershell

Ikev1 or Ikev2? - Depends on your requirement.

The only limitation on Azure is - BGP is supported on route-based VPN gateways only.
Please refer : https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-bgp-overview#can-i-use-bgp-with-azure-policy-vpn-gateways

However, IKEv1 connections can be created on all RouteBased VPN type SKUs, except the Basic SKU, Standard SKU, and other legacy SKUs. You can specify a connection protocol type of IKEv1 or IKEv2 while creating connections. If you do not specify a connection protocol type, IKEv2 is used as default option where applicable.
Please refer : https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-compliance-crypto#about-ikev1-and-ikev2-for-azure-vpn-connections

Kindly let us know if the above helps or you need further assistance on this issue.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.