Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, April 15, 2019 9:36 AM
Hello team
I have A customer who has a S2S connection established with Azure . it is working well . But the customer want to add some redundancy so that When 1 ISP is down the Second ISP can take the lead
I am not a network guy So i want to know
1: Is there a possibility to have an Active Passive Setup with a S2S VPN in Azure
2: Is it possible to Modify the Azure Gateway present and just add the Second Public IP? will it Work ? does that assure redundancy?
3: is there a guide where i can read to acheive this ? Somewhere i read that there is BGP involved in this Configuration is it true?
All replies (10)
Monday, April 15, 2019 9:40 AM
Hi,
This is quite easy to set up, which is nice. To have a second IP, you'll want to enable active/active mode on the VPN Gateway (you will need to create a new public IP for this first in the same SKU as the VPN Gateway so that this can be used).
Once that has been done, you just need to update the config on the remote firewall to include the second IP address. You can download the config though once this has been added from the 'Connections' blade of the VPN Gateway.
Let me know if you have any further questions.
Thanks,
Matt
Monday, April 15, 2019 9:46 AM
Hello Bradley
thank you from your answer but i cant see in the Portal the Option to activate an Active-Active config on the Azure gateway
and secondly to add a Second IP.
Or if you can direct me to a Guide to accomplish this
Monday, April 15, 2019 9:52 AM
Hi,
The active/active setting is shown below:
And a guide to create the public IP is here: /en-us/azure/virtual-network/virtual-network-public-ip-address
It is worth noting though that even though the VPN by default only has 1 IP, there is built in redundancy with the VPN Gateway appliance. It would just cause a small amount of downtime if the main appliance had an issue.
Monday, April 15, 2019 10:11 AM
hello Brad
Thanks i saw the Option
But just to make myself clear.
The Customer has 2 ISP with 2 differents Public IP . I want to 'Add' his second IP in the VPN configuration not really 'create' a IP on the Azure Side.
Is what your are proposing help me to acheive this Objective?
Monday, April 15, 2019 10:21 AM
Hello Brad
During the Initial Setup i created this as 'Local Network Gateway' and during the Setup you specify the Puclic IP adress of the first ISP and Local networks attached
Now what I want is to update this configuration and have a Second Public IP for the Seond ISP in this Local network gateway
I hope I maed it clear now
Monday, April 15, 2019 10:25 AM
Ah I see. Apologies, my answer was for increased redundancy at the Azure side.
As far as I am aware, only 1 IP can be added to the Azure local network gateway.
Thanks,
Matt
Monday, April 29, 2019 9:32 AM
As i could understand from the previous communications, you were looking for redundancies issues for fail back.
If you S2S fails due to any isues, so i don't understand how 2 IP can help. I think you might need to consider Express Route and keeping S2S as you fail back option. This is normal procedure to keep as fail back option.
If you can't setup Express Route, you may like checking other connectivity options like P2S(with defined apps and limited staffs) or something from on-premise to Azure. A new solution can be checked too known as Azure WAN.
It totally depends on your budget and solution suitable to your organization.
Santosh Singh
Monday, April 29, 2019 10:48 AM
Hello Santosh
Thanks for your input
But The situation is I have 2 different ISP configured on my On premisses device . But Only One is configured for the S2S VPN with Azure
I want to bring the Second on on that configuration
PS: I have the same configuration with Another Site , the Only difference is that Both sites have the Same Device
Tuesday, April 30, 2019 6:11 PM
Hi,
I dont believe this can be done in Azure. You only have the option to add 1 IP to the gateway. If the primary ISP at the on-premises site goes down then you would have to manually change the IP address on the Azure Local Network Gateway to the new IP.
This can be edited but it would be a manual change if the primary ISP link went down.
Thanks,
Matt
Wednesday, May 8, 2019 2:54 PM
Hey,
First off, I would like to answer your questions. Secondly, I would describe how you can set up this.
**1: Is there a possibility to have an Active Passive Setup with a S2S VPN in Azure **-- Yes this is possible with Active-Active VPN gateway
2: Is it possible to Modify the Azure Gateway present and just add the Second Public IP? will it Work ? does that assure redundancy? - Yes.
**3: is there a guide where i can read to acheive this ? Somewhere i read that there is BGP involved in this Configuration is it true? - **You can refer the article if the below explanation is not clear.
So, as per my understanding you would like to have two redundant tunnels to Azure from two different ISP providers connecting to same on-premises network. This can be achieved by configuring a BGP over IPSec tunnels between Azure VPN gateway and your premises gateway. Below are the steps to be followed
On Azure,
1. Create a virtual network with a different address space than your on-premises one
2. Create a GatewaySubnet in a virtual network created in step 1
3. Create an Active-Active VPN gateway on Azure. If you already have a VPN gateway, check for two public IPs in overview section of VPN gateway. If you see only 1 Public IP, change the gateway to active-active from configuration section.
4. Execute below PS commands to get the BGP peer IPs and ASN on Azure Gateway.
$vnet1gw = Get-AzVirtualNetworkGateway -Name "" -ResourceGroupName ""
$vnet1gw.BgpSettingsText
5. Get the ASN and BGP peer IP from both the ISPs providers and leverage this information while creating Local Network Gateways. The sample LNG would be as below
Name: LNG 1 || Public IP: 1.1.1.1 || BGP Peer IP: 10.10.10.10 || Address Space: 10.10.10.10/32
Similarly create another LNG pointing to another ISP. Make sure you enable BGP on Local Network Gateway
6. Create 2 connection objects using 2 different LNGs. Please don't forget to enable BGP on connection.
At On-prem Side
- Use the Azure gateway ASN and BGP peer IP and use this information at your on-premises firewalls to configure tunnels to Azure.
- As the traffic would be from the same on-premises site reaching the same Azure VNET, this might cause asymmetric routing. To avoid this you can define weight on the firewall or leverage LPM.
Hope this helps