question

LVThyDng-1512 avatar image
0 Votes"
LVThyDng-1512 asked LVThyDng-1512 commented

Route table of 2 tunnels between Azure and On Prem VPN

I want to create 2 tunnels between Azure and my On Prem VPN (VPN Gateway 1 <=> On Prem VPN 1, VPN Gateway 2 <=> On Prem VPN 2).
I need to use failover static route for these 2 tunnels, so how should I route on Azure for it to be done.

Thanks,
Duong Le

azure-vpn-gateway
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

138751-image.png




Or like the image I attached, but is it okay to use static route? As I am currently using static route for these tunnels.

0 Votes 0 ·
image.png (65.0 KiB)

Hello @LVThyDng-1512 ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I would like to clarify a few points to get a better understanding of your requirement:

You have mentioned you want to create 2 tunnels between Azure and your On Prem VPN (VPN Gateway 1 <=> On Prem VPN 1, VPN Gateway 2 <=> On Prem VPN 2), I believe you wanted to say this : (VPN Gateway 1 <=> On Prem VPN 1, VPN Gateway 1 <=> On Prem VPN 2) which is 1 VPN gateway in Azure with 2 on-premises VPN devices. Could you confirm?
The diagram you shared is setup using BGP routing protocol for automatic failover. But you want to static routes, is that correct?

Regards,
Gita

0 Votes 0 ·
LVThyDng-1512 avatar image LVThyDng-1512 GitaraniSharmaMSFT-4262 ·

Hi @GitaraniSharmaMSFT-4262

I want to setup using static route for automatic failover for those 2 tunnels.

  • Case 1: 1 VPN gateway in Azure with 2 on-premises VPN devices.

  • Case 2: 2 VPN gateway in Azure with 2 on-premises VPN devices.

In which of those 2 cases can use static routes for automatic failover for those 2 tunnels? If so, how should I set up the route table on Azure?

Thanks,
Duong Le



0 Votes 0 ·

1 Answer

GitaraniSharmaMSFT-4262 avatar image
0 Votes"
GitaraniSharmaMSFT-4262 answered LVThyDng-1512 commented

Hello @LVThyDng-1512 ,

Thank you for the update.

Case 1:
In case you want automatic failover between 2 VPN tunnels configured with 1 Azure VPN gateway & 2 on-premise VPN devices, then using BGP will allow the two connections to the same on-premises network to be UP at the same time and will support automatic and flexible prefix updates.
Refer : https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable#multiple-on-premises-vpn-devices

In case you want to use static routes, you need to set up a connection with LNG (local network gateway) pointing to VPN device 1, having the on-premises address range. Then create another connection with 2nd LNG having the Public IP of the VPN device 2 and the on-premises address range in there as well.

What you will see is that since both connections have the same local range (which can cause an overlap) only the first one will come up while the second one will show disconnected but the moment the first connection goes down the second one will come up. So on Azure side, it will be taken care of automatically as long as you have the VPN gateway with 2 connections to the same on-premises site via 2 different local network gateways configured with 2 different VPN devices.

Case 2:
I'm not sure why you would want to setup case 2 where you have 2 VPN gateways in Azure with 2 on-premises VPN devices but this setup will not work if you have a single Vnet in Azure to access your resources as each virtual network can have only one VPN gateway.
Refer : https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways

If you want to deploy the VPN gateway to a different Vnet and peer that Vnet with your other existing Vnets, then this setup is possible but then again it will be 2 different tunnels unless you create cross connections between the 2 VPN gateways & 2 VPN devices which will consist of total 4 tunnels as below:

VPN gateway 1 ---> On-premise VPN 1
VPN gateway 1 ---> On-premise VPN 2
VPN gateway 2 ---> On-premise VPN 1
VPN gateway 2 ---> On-premise VPN 2

And the configuration & failover mechanism will be similar to what I explained above in case 1 static routes scenario.

But with BGP, this setup will simplify to 1 VPN gateway with active-active configuration & 2 on-premises VPN devices as explained in below article:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable#dual-redundancy-active-active-vpn-gateways-for-both-azure-and-on-premises-networks

Kindly let us know if the above helps or you need further assistance on this issue.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you very much, @GitaraniSharmaMSFT-4262
Your information is very helpful to me.

Regards,

Duong Le

1 Vote 1 ·

Hi @GitaraniSharmaMSFT-4262

I have one more problem that I need your help with.

For Case 1: If I use 1 VPN Gateway and 2 On Prem VPN and VPN Gateway use active-active mode and static route, is it still ok? So will the configuration & failover mechanism be same as what you explained above in case of 1 scenario of static routes correct or is there something else changed?

Thanks,
Duong Le

0 Votes 0 ·

Hello @LVThyDng-1512 ,

If you use 1 VPN Gateway and 2 On Prem VPN devices but the VPN Gateway uses active-active mode and static route, you would need to create 4 connections.
Active-active gateways have two Gateway IP configurations and two public IP addresses.
Refer : https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable#active-active-vpn-gateways
https://docs.microsoft.com/en-us/azure/vpn-gateway/active-active-portal

This means, the connectivity to your on-premises devices should be enabled between both your on-prem VPN device IPs and both Public IPs of the Azure VPN gateway. So, you will create 2 local network gateways but 4 connections as below:

VPN gateway Public IP address 1 ---> On-premise VPN 1
VPN gateway Public IP address 1 ---> On-premise VPN 2
VPN gateway Public IP address 2 ---> On-premise VPN 1
VPN gateway Public IP address 2 ---> On-premise VPN 2

The failover mechanism will be similar to what I explained in case 1 static routes scenario.

Thanks,
Gita

1 Vote 1 ·
LVThyDng-1512 avatar image LVThyDng-1512 GitaraniSharmaMSFT-4262 ·

Thanks for your support, @GitaraniSharmaMSFT-4262

Regards,

Duong Le

1 Vote 1 ·