I'm trying to set up a VPN connection from our Azure environment to our vendor's data center using a VPN gateway featuring active-active tunnels. The vendor wants to use static routing, sending all traffic through just one tunnel while keeping the other as a backup, even though both tunnels are technically active. On the Azure side, both VPN connections will have local network gateways set up with identical routes to our on-premises network. Is it feasible to manage this without BGP? Additionally, how will Azure determine which tunnel is designated as the primary?
5 Answers
You might want to look into Azure functions or consider deploying a Network Virtual Appliance (NVA) to aid in managing your VPN setup.
Using BGP would be the best way to manage this because it allows setting route metrics or weights. Azure tends to handle tunnels equally in active-active without BGP, which can complicate choosing a primary tunnel. If you're using VNS3 Lite from the marketplace, you can configure BGP with metrics to ensure one connection is primary until it fails.
Isn't ECMP (Equal-Cost Multi-Path routing) going to affect your setup? Both tunnels being active means Azure may split traffic across them unless you configure something differently.
Just a heads-up, Azure doesn't inherently recognize a 'primary' tunnel in active-active mode without BGP. It treats both tunnels equally, balancing the traffic. To make one tunnel work as the primary, set the primary local network gateway with more specific routes — like /24 subnets — and the backup with broader routes, like /16. Azure prioritizes longer prefixes.
You should definitely check with your vendor on how they plan to choose which VPN link to use for outgoing and incoming traffic. Otherwise, you risk asymmetric routing, which can lead to data loss. Once you get that info, if you could share it here, that would be great!
Related Questions
How To Get Your Domain Unblocked From Facebook
How To Find A String In a Directory of Files Using Linux