Active/Active Azure S2S VPN and asymmetric routing

Nabil Zayyad 21 Reputation points
2021-07-23T10:32:22.94+00:00

Hi experts,

I have a doubt regarding design and configuration for an Active/Active S2S VPN deployment.

I understand that with this deployment you setup 2 S2S VPNs between Azure Gateways and your on-premise VPN device, and that traffic from Azure to the on-premise network uses both tunnels simmultaneously. If the on-premise VPN device is a Firewall this could cause problems with assymmetric routing as firewalls usually drop assymmetric traffic.

Is it possible to use BGP to control the traffic path using BGP metrics on the on-premise configuration? I was thinking AS-PATH prepand to influence traffic from Azure and Local Preference for traffic to Azure.

I know that with this configuration you end up with an Active/Passive setup for the 2 VPNs, however the Active/Active configuration is mandatory if you want to use Azure Route Server.

Thanks for the thoughts.

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,380 questions
0 comments
Accepted answer
  1. GitaraniSharma-MSFT 47,316 Reputation points Microsoft Employee
    2021-07-26T18:01:44.943+00:00

    Hello @Nabil Zayyad ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    To provide better availability for your cross premises connections, there are 3 HA options available as below:

    1) If you want to use multiple VPN devices from your on-premises network to connect to your Azure VPN gateway, BGP is required for this configuration.

    2) If you just want to create an Azure VPN gateway in an active-active configuration, where both instances of the gateway VMs will establish S2S VPN tunnels to your single on-premises VPN device, BGP is not required for this configuration.
    For this configuration, you just have to keep the Enable active-active mode: Enabled in your VPN gateway.
    The active-active mode is available for all SKUs except Basic.

    3) If you want to combine the active-active gateways on both your network and Azure for Dual-redundancy, BGP is required for this configuration.

    And if you want to use Azure Route server, then yes you need BGP routing protocol and Azure VPN gateway must be configured in active-active mode (which is explained in point 2 above as a setting in your VPN gateway).

    Azure VPN gateway will honor AS Path prepending to help make routing decisions when BGP is enabled. A shorter AS Path will be preferred in BGP path selection.
    Reference : https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#does-azure-vpn-gateway-honor-as-path-prepending-to-influence-routing-decisions-between-multiple-connections-to-my-on-premises-sites

    And as you rightly mentioned, to avoid asymmetric routing while using BGP with Firewall, you can use local preference for your local routes.
    You may refer the below article which shows the exact issue:
    https://live.paloaltonetworks.com/t5/general-topics/vpn-from-two-pas-to-azure-with-asymmetrical-routing-using-bgp/td-p/378269

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more