VPN over ExpressRoute / VPN S2S / BGP

Elias Shuiti Yasuda 1 Reputation point
2022-01-11T12:02:05.557+00:00

Hi everyone, i need help about setting up VPN over ExpressRoute as a primary solution and S2S VPN over Internet as a backup solution in the same Virtual Network Gateway.

I have the following scenario:

  1. Configure ExpressRoute - Success
  2. VPN over ExpressRoute with BGP (Private IP Address) - Success
  3. S2S VPN over Internet (Public IP Address) - Fail

I know that for this solution to work we need to configure BGP on both VPNs. But, in default configuration, Azure provides only one BGP peer IP address. When i enable Active-Active mode, i can't reach VNET but VPN over ExpressRoute stays up and I didn't complete the setup.

In this scenario, i have two questions:

  1. Do I need to complete the setup to have a fully functional environment?
  2. Do I need enable Active-Active mode or i have another option to configure that?

Thanks.

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,436 questions
Azure ExpressRoute
Azure ExpressRoute
An Azure service that provides private connections between Azure datacenters and infrastructure, either on premises or in a colocation environment.
342 questions
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. SaiKishor-MSFT 17,216 Reputation points
    2022-01-12T09:32:08.733+00:00

    @Elias Shuiti Yasuda Thank you for reaching out to Microsoft Q&A. I understand that you are having issues with setting up Azure S2S VPN in active-active mode with one VPN over ER and another one over a Public IP.

    Active-Active VPN Gateways have 2 VPN Gateways provided by Azure where both instances of the gateway VMs will establish S2S VPN tunnels to your on-premises VPN device. The setup you are looking for i.e., one VPN over ER connection and the other one over Public IP is a active-stand by connection where if the VPN over ER goes down, it can then traverse the VPN over the Internet. For this setup, you do not need to enable active-active mode.

    To achieve this setup, sinc eyou already have the VPN over Express Route connection established, go ahead and setup the VPN over Public IP(as mentioned earlier do not enable active-active mode). Once both the VPNs are up, advertise the same routes using BGP on both the VPNs. Azure will always prefer the VPN over Express Route first to route traffic to on-premise. To avoid asymmetric routing, please make sure the traffic from on-premise to Azure also prefers the S2S VPN over ER. If the VPN over ER is down, then traffic will automatically traverse the S2S VPN over Internet and will go back to the ER VPN once it is back up. Hope this helps.

    Please let us know if you have any further questions and we will be glad to assist you further. Thank you!

    Remember:

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    Want a reminder to come back and check responses? Here is how to subscribe to a notification.

    0 comments
  2. Elias Shuiti Yasuda 1 Reputation point
    2022-01-12T11:19:24.917+00:00

    @SaiKishor-MSFT Thanks for the answer. In active-standby mode, i need to configure the firewall side pointing to the same BGP peer IP address on both VPNs. Am i correct?

    I need to understand this because i need to explain to the guy responsible to the firewall configuration.

    0 comments
  3. SaiKishor-MSFT 17,216 Reputation points
    2022-01-12T16:11:47.627+00:00

    @Elias Shuiti Yasuda You cannot use the same BGP peering IP for both VPNs. You would use different peering IPs and different gateway IPs for both these VPNs otherwise there will be routing issues. Hope this helps.

    Please let us know if you have any further questions and we will be glad to assist you further. Thank you!

    Remember:

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    Want a reminder to come back and check responses? Here is how to subscribe to a notification.

    0 comments
  4. Elias Shuiti Yasuda 1 Reputation point
    2022-01-12T17:31:07.017+00:00

    @SaiKishor-MSFT Ok, but a Virtual Network Gateway provides one Private BGP peer IP address and one Custom Azure APIPA BGP IP address. I configured BGP over VPN ExpressRoute pointing Custom Azure APIPA BGP IP address in on-premises firewall. How can i configure BGP over VPN Public IP? What IP can i configure on on-premises firewall to enable BGP over VPN Public IP? Is there any way to get another BGP Peer IP Address without enable active-active mode?
    I know about the possibility of using a network virtual appliance (NVA). In this case, are we able to configure without a network virtual appliance (NVA) or not?