question

nabilzay avatar image
0 Votes"
nabilzay asked LVThyDng-1512 commented

Active/Active Azure S2S VPN and asymmetric routing

Hi experts,

I have a doubt regarding design and configuration for an Active/Active S2S VPN deployment.

I understand that with this deployment you setup 2 S2S VPNs between Azure Gateways and your on-premise VPN device, and that traffic from Azure to the on-premise network uses both tunnels simmultaneously. If the on-premise VPN device is a Firewall this could cause problems with assymmetric routing as firewalls usually drop assymmetric traffic.

Is it possible to use BGP to control the traffic path using BGP metrics on the on-premise configuration? I was thinking AS-PATH prepand to influence traffic from Azure and Local Preference for traffic to Azure.

I know that with this configuration you end up with an Active/Passive setup for the 2 VPNs, however the Active/Active configuration is mandatory if you want to use Azure Route Server.

Thanks for the thoughts.

azure-vpn-gateway
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

GitaraniSharmaMSFT-4262 avatar image
0 Votes"
GitaraniSharmaMSFT-4262 answered LVThyDng-1512 commented

Hello @nabilzay ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

To provide better availability for your cross premises connections, there are 3 HA options available as below:

1) If you want to use multiple VPN devices from your on-premises network to connect to your Azure VPN gateway, BGP is required for this configuration.

2) If you just want to create an Azure VPN gateway in an active-active configuration, where both instances of the gateway VMs will establish S2S VPN tunnels to your single on-premises VPN device, BGP is not required for this configuration.
For this configuration, you just have to keep the Enable active-active mode: Enabled in your VPN gateway.
The active-active mode is available for all SKUs except Basic.

3) If you want to combine the active-active gateways on both your network and Azure for Dual-redundancy, BGP is required for this configuration.

And if you want to use Azure Route server, then yes you need BGP routing protocol and Azure VPN gateway must be configured in active-active mode (which is explained in point 2 above as a setting in your VPN gateway).

Azure VPN gateway will honor AS Path prepending to help make routing decisions when BGP is enabled. A shorter AS Path will be preferred in BGP path selection.
Reference : https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#does-azure-vpn-gateway-honor-as-path-prepending-to-influence-routing-decisions-between-multiple-connections-to-my-on-premises-sites

And as you rightly mentioned, to avoid asymmetric routing while using BGP with Firewall, you can use local preference for your local routes.
You may refer the below article which shows the exact issue:
https://live.paloaltonetworks.com/t5/general-topics/vpn-from-two-pas-to-azure-with-asymmetrical-routing-using-bgp/td-p/378269

Kindly let us know if the above helps or you need further assistance on this issue.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @GitaraniSharmaMSFT-4262

I have a few questions with the case 2 that you have given, can you please help me answer it?
- BGP is not required for this configuration. => What routing protocol can I use, can I use static route?
- If using a static route, when one of the tunnels is disconnected, will traffic automatically shifts to the remaining tunnels?

Thank you

Duong Le



0 Votes 0 ·

Hello @LVThyDng-1512 ,

BGP is an optional feature you can use with Azure Route-Based VPN gateways. You can continue to use Azure VPN gateways without BGP. It is the equivalent of using static routes. You would have to configure static routes on your on-premise VPN device depending on it's model by referring the below doc:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices#devicetable

In Azure VPN Active-Active configuration, each Azure gateway instance will have a unique public IP address, and each will establish an IPsec/IKE S2S VPN tunnel to your on-premises VPN device specified in your local network gateway and connection. You will need to configure your on-premises VPN device to accept or establish two S2S VPN tunnels to those two Azure VPN gateway public IP addresses.

Because the Azure gateway instances are in active-active configuration, the traffic from your Vnet to your on-premises will be routed through both tunnels simultaneously, even if your on-premises VPN device may favor one tunnel over the other.

When a planned maintenance happens to one gateway instance, the IPsec tunnel from that instance to your on-premises VPN device will be disconnected. On the Azure side, the switch over will happen automatically from the affected instance to the active instance. But on your on-premise VPN device, the corresponding routes should be removed or withdrawn automatically so that the traffic will be switched over to the other active IPsec tunnel. To configure this, you may need to contact your VPN device support.

Regards,
Gita

0 Votes 0 ·
LVThyDng-1512 avatar image LVThyDng-1512 GitaraniSharmaMSFT-4262 ·

Thanks so much for your answer, @GitaraniSharmaMSFT-4262 !

Regards,
Duong Le

1 Vote 1 ·