Azure Highly Available Site to Site(S2S) VPN Using BGP

While setting up VPN tunnels, we need resilience and high availability of the solution if the VPN tunnel fails. The way we achieve high availability is using redundant tunnels. 

Most of the networks today follow Hub and Spoke model which means a network is most likely consists of multiple Azure VNets peered together. The network address space is propagated when VNets are peered. For Onprem network to discover Azure network space across all peered VNets and to automatically failover to redundant VPN tunnel, BGP protocol is used

Following is the microsoft document that explains different strategies for highly available VPN Gateways. 

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable

From the document above I am going to cover redundant tunnels using BGP explained in the section  "Multiple on-premises VPN devices"

To establish highly available redundant tunnels, Azure VPN Gateway automatically comes with Active and Standby mode, which means we don't need 2 gateway endpoints on Azure side. If the active tunnel fails, it would automatically failover to same public ip and BGP ip for Standby. 

This however means, we need to have 2 VPN connections on Onprem side with unique Public IPs. 

I will give you an example here to show how to set this up.

 

Virtual Network Gateway

When creating new virtual network gateway, I have highlighted the red boxes that needs to be set apart from other network related selection you would do. 

When the resource is deployed, this sets up Azure side of gateway and assign a public IP for the Azure gateway and a private BGP IP. You cannot change these values. ASN can be changed if desired.

Local Network Gateway

Local network gateway is the onprem side of gateway. This is still an Azure resource but this is needed to represent the customer/onprem gateway as this will contain the configurations of onprem side of things. 

Remember we need 2 tunnels from Onprem for high availability, therefore, we need 2 separate Local Network Gateways, each having a connection to Onprem VPN device. 

I will only show one tunnel setup, you can create another Local Network Gateway(LNG) and a connection for 2nd VPN Onprem and that will complete your redundant Onprem tunnels with auto failover.

When creating local network gateway resource, the IP address is needed to be filled with Onprem VPN public IP address.

BGP setup with Onprem ASN and BGP private IP address 

After LNG is setup, you can change configuration from the settings

The screenshot shows text boxes with Onprem Public IP, ASN and BGP IP. These are the Onprem/Customer gateway values. 

Address Space text box can stay empty as we are using BGP, which learns the address space for Onprem automatically. I will show you screenshot with learned routes that are advertised from Onprem.

Create new connection by selecting the LNG created in above step and then add a connection to it.

After connection is setup, you can change its configuration. 

Tip: if the connection is not being established with Onprem, check the IPsec / IKE Policy and your Onprem VPN device may require different Encryption that can be configured using Custom policy.

Advertised and Learned Routes

If your connection is established properly, you can go to BGP Peers under monitoring of the virtual network gateway to see if your gateway is properly leaning and advertising the BGP routes. 

Learned Routes:

Advertised Routes

At this point if you can see advertised routes and learned routes in above screenshots and status connected and some numbers in message sent and received columns as shown below then congratulations you have successfully setup BGP VPN connection from Azure to Onprem.