Jump to content

- - - - -

Create an Ultra High Available on-prem Azure VPN Connection

  Posted by Pantelis Apostolidis , in Azure 22 October 2018 · 59 views

Create an Ultra High Available on-prem <-> Azure VPN Connection
At this post we will see how to make a high available connection between our on-premises network and Azure. This way we will have an Active-Active Dual-Redundancy VPN Connection.

The idea behind this is that we have a router/firewall cluster,connected with two ISPs and we want to also have a VPN connection with Azure using both ISPs actively. I call this an end-to-end high available connectivity between our on-premises infrastructure and Azure. Actually the active-active dual redundant connections needs to have two different on-premises VPN devices, but we can accomplish almost the same functionality with one device and two different interfaces with two different ISPs.

Posted Image

The requirement for this topology, except the router/firewall cluster and the two ISPs is that the Azure VPN Gateway must be Standard or HighPerformance SKU. The Basic SKU does not support Active-Active mode.

As you can see at the above diagram, the Active-Active VPN Gateway created two Active VPN Nodes. The connection of each node to each on-premises network interface in a mesh topology. All network traffic is distributed through all the connections. In order to accomplish this connectivity we need to also enable BGP to both on-premises device and Azure VPN Gateway with different ASN.
Lets lab it:
Create a Virtual Network Gateway, VPN, Route Based and SKU VpnGw1 or larger

Enable active-active mode, this will create two nodes, and give the names of the two Public IPs.

Check the Configure BGB ASN and change the default ASN, I used 65510

wait a lot… more than the typical 45 minutes, a lot more…

Posted Image

When the gateway is created you will see that the public ip address is called “First public IP address”. If you click the “see more” link you will see the second IP too.

Posted Image

You can see both IP form the Properties page too.

Posted Image

Second we need to create two Local network Gateways, to represent the two interfaces of our on-premises device. Both must be created with the same ASN. This ASM must be different than the Gateways’ and this ASN must be configured at the configuration of the local devices VPN connection.

Posted Image]

Now, create the connection

Posted Image

And remember to enable BGP at the Connection’s Configuration

Posted Image

As soon as the local device is configured both connections became connected.

Posted Image

From powershell we can see both local IPs of the two nodes of the Azure VPN Gateway,

Posted Image
Test and Troubleshooting
Currently the only way to see the connections between the Azure Gateway Nodes and the local devices interfaces is the below powershell command

Get-AzureRmVirtualNetworkGatewayBGpPeerStatus -VirtualNetworkGatewayName “gatewayname” -ResourceGroup “resourcegroupname”

Posted Image

Every time you run this command you get answer from one of the two nodes at random. At the above screenshot, first is one node and second is the other.

The first node’s peer, 192.168.xx.9 shows that is connected to the 10.xx.xx.2 local network’s peer and connecting at the second peer 10.xx.xx.1

The second node’s peer, 192.168.xx.8 shows that is connected to the 10.xx.xx.1 local network’s peer and connecting at the second peer 10.xx.xx.2


The test I performed was to unplug one interface from the local device. The azure gateway’s first node State was both Connecting and the second node was the same, connecting to .2 and connected to .1. At this test I did lost a single ping.

After that I plugged the cable back, waited less than a minute and unplugged the second cable. Now the first node shows still disconnected but the first node connected to the .2 local IP and connecting to .1. With this test I lost only one ping. Also I realized that it is random which node’s private IP will connect with the local device’s private IP. Both Azure Gateway’s IPs 192.168.x.8 & 9 can connect with the local device’s IP 10.x.x.1 & 2 and this is the magic of the Active-Active Dual Redundancy VPN connection.