Create an Ultra High Available on-prem Azure VPN Connection
Create an Ultra High Available on-prem <-> Azure VPN Connection
At this post we will see how to make a high available connection between our on-premises network and Azure. This way we will have an Active-Active Dual-Redundancy VPN Connection.
The idea behind this is that we have a router/firewall cluster,connected with two ISPs and we want to also have a VPN connection with Azure using both ISPs actively. I call this an end-to-end high available connectivity between our on-premises infrastructure and Azure. Actually the active-active dual redundant connections needs to have two different on-premises VPN devices, but we can accomplish almost the same functionality with one device and two different interfaces with two different ISPs.
The requirement for this topology, except the router/firewall cluster and the two ISPs is that the Azure VPN Gateway must be Standard or HighPerformance SKU. The Basic SKU does not support Active-Active mode.
As you can see at the above diagram, the Active-Active VPN Gateway created two Active VPN Nodes. The connection of each node to each on-premises network interface in a mesh topology. All network traffic is distributed through all the connections. In order to accomplish this connectivity we need to also enable BGP to both on-premises device and Azure VPN Gateway with different ASN. Lets lab it:
Create a Virtual Network Gateway, VPN, Route Based and SKU VpnGw1 or larger
Enable active-active mode, this will create two nodes, and give the names of the two Public IPs.
Check the Configure BGB ASN and change the default ASN, I used 65510
wait a lot… more than the typical 45 minutes, a lot more…
When the gateway is created you will see that the public ip address is called “First public IP address”. If you click the “see more” link you will see the second IP too.
You can see both IP form the Properties page too.
Second we need to create two Local network Gateways, to represent the two interfaces of our on-premises device. Both must be created with the same ASN. This ASM must be different than the Gateways’ and this ASN must be configured at the configuration of the local devices VPN connection.
Now, create the connection
And remember to enable BGP at the Connection’s Configuration
As soon as the local device is configured both connections became connected.
From powershell we can see both local IPs of the two nodes of the Azure VPN Gateway,
Test and Troubleshooting
Currently the only way to see the connections between the Azure Gateway Nodes and the local devices interfaces is the below powershell command
Get-AzureRmVirtualNetworkGatewayBGpPeerStatus -VirtualNetworkGatewayName “gatewayname” -ResourceGroup “resourcegroupname”
Every time you run this command you get answer from one of the two nodes at random. At the above screenshot, first is one node and second is the other.
The first node’s peer, 192.168.xx.9 shows that is connected to the 10.xx.xx.2 local network’s peer and connecting at the second peer 10.xx.xx.1
The second node’s peer, 192.168.xx.8 shows that is connected to the 10.xx.xx.1 local network’s peer and connecting at the second peer 10.xx.xx.2
The test I performed was to unplug one interface from the local device. The azure gateway’s first node State was both Connecting and the second node was the same, connecting to .2 and connected to .1. At this test I did lost a single ping.
After that I plugged the cable back, waited less than a minute and unplugged the second cable. Now the first node shows still disconnected but the first node connected to the .2 local IP and connecting to .1. With this test I lost only one ping. Also I realized that it is random which node’s private IP will connect with the local device’s private IP. Both Azure Gateway’s IPs 192.168.x.8 & 9 can connect with the local device’s IP 10.x.x.1 & 2 and this is the magic of the Active-Active Dual Redundancy VPN connection.