Configure active-active S2S VPN connections - Azure VPN Gateway (2023)

This article walks you through the steps to create active-active inter-premises and virtual network-to-virtual network connections using theResource Manager Deployment Modeland PowerShell. You can also configure an active-active gateway in the Azure portal.

About connections between highly available locations

To achieve high availability for inter-premises and virtual network-to-virtual network connectivity, you must implement multiple VPN gateways and establish multiple parallel connections between your networks and Azure. To seeHigh availability between premises and virtual network to virtual network connectivityfor an overview of connectivity and topology options.

This article provides instructions for configuring an active-active VPN connection between premises and an active-active connection between two virtual networks.

• Part 1: Create and configure your Azure VPN Gateway in active-active mode
• Part 2 - Establish connections between active-active installations
• Part 3: Establishing Virtual Network to Active-Active Network Connections

If you already have a VPN gateway, you can:

• Upgrade an existing VPN gateway from active-standby to active-active or vice versa

You can combine them to create a more complex and highly available network topology that meets your needs.

Part 1: Create and configure active-active VPN gateways

The following steps will configure your Azure VPN Gateway in active-active modes. The main differences between active-active and active-standby gateways:

• You must create two gateway IP configurations with two public IP addresses
• You must set the EnableActiveActiveFeature flag
• The gateway SKU must be VpnGw1, VpnGw2, VpnGw3, or HighPerformance (legacy SKU).

The other properties are the same as for non-active active gateways.

Before you start

• Make sure you have an Azure subscription. If you don't already have an Azure subscription, you can activate yourMSDN Subscriber Benefitsor sign up for onefree account.
• You'll need to install the Azure Resource Manager PowerShell cmdlets if you don't want to use Cloud Shell in your browser. To seeIntroduction to Azure PowerShellfor more information on how to install the PowerShell cmdlets.

Step 1 – Create and configure VNet1

1. Declare your variables

For this exercise, we'll start by declaring our variables. If you use Cloud Shell "Try it out", you will be automatically signed into your account. If you're using PowerShell locally, use the following example to help you connect:

Connect-AzAccountSelect-AzSubscription -SubscriptionName $Sub1

The following example declares variables using the values ​​from this exercise. Be sure to replace the values ​​with your own when configuring for production. You can use these variables if you are following the steps to become familiar with this type of configuration. Modify the variables and copy and paste into the PowerShell console.

$Sub1 = "Ross"$RG1 = "TestAARG1"$Ubicación1 = "Oeste de EE. UU."$VNetName1 = "TestVNet1"$FESubName1 = "FrontEnd"$BESubName1 = "Backend"$GWSubName1 = "GatewaySubnet"$VNetPrefix11 = "10.11.0.0 /16"$VNetPrefix12 = "10.12.0.0/16"$FESubPrefix1 = "10.11.0.0/24"$BESubPrefix1 = "10.12.0.0/24"$GWSubPrefix1 = "10.12.255.0/27"$VNet1ASN = 65010$DNS1 = "8.8.8.8"$GWName1 = "VNet1GW"$GW1IPName1 = "VNet1GWIP1"$GW1IPName2 = "VNet1GWIP2"$GW1IPconf1 = "gw1ipconf1"$GW1IPconf2 = "gw1ipconf2"$Connection12 = "VNet1toVNet2" $Connection151 = "VNet1toSite5_1" "$5 "VNet5_1" "

2. Create a new resource group

Use the following example to create a new resource group:

New-AzResourceGroup -Name $RG1 -Location $Location1

3. Cree TestVNet1

The following example creates a virtual network named TestVNet1 and three subnets, one named GatewaySubnet, one named FrontEnd, and one named Backend. When substituting values, it is important that you always give the gateway subnet a specific name such as GatewaySubnet. If you give it another name, the gateway creation will fail.

$fesub1 = New-AzVirtualNetworkSubnetConfig -Name $FESubName1 -AddressPrefix $FESubPrefix1$besub1 = New-AzVirtualNetworkSubnetConfig -Name $BESubName1 -AddressPrefix $BESubPrefix1$gwsub1 = New-AzVirtualNetworkSubnetConfig -Name $GWSubName1 -AddressPrefix $GWSubPrefix1New-AzVirtualNetwork -ReName $GNetupName1 - $ RG1 -Ubicación $Ubicación1 -AddressPrefix $VNetPrefix11,$VNetPrefix12 -Subred $fesub1,$besub1,$gwsub1

Step 2: Create a VPN gateway for TestVNet1 with active-active mode

1. Create public IP addresses and gateway IP configurations

Request that two public IP addresses be assigned to the gateway that you will create for your virtual network. It will also configure the necessary subnet and IP settings.

$gw1pip1 = New-AzPublicIpAddress -Name $GW1IPName1 -ResourceGroupName $RG1 -Location $Location1 -AllocationMethod Dynamic$gw1pip2 = New-AzPublicIpAddress -Name $GW1IPName2 -ResourceGroupName $RG1 -Ubicación $Location1 -AllocationMethod Dynamic$vnet1 = Get-AzVirtualNetwork -Name $VNetName1 -ResourceGroupName $RG1$subnet1 = Get-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet1$gw1ipconf1 = New-AzVirtualNetworkGatewayIpConfig -Name $GW1IPconf1 -Subnet $subnet1 -PublicIpAddress $gw1pip1$gw1ipconf2 = NewIP-AzVirtualGsubateway1 -NetworkGsubateway1 -SubnetworkGsubateway1 PublicIpAddress $gw1pip1$gw1ipconf2 = NewIP-AzVirtualNetworkGateway2 Sub-rede $subnet1 -PublicIpAddress $gw1pip2

2. Create VPN gateway with active-active configuration

Create the virtual network gateway for TestVNet1. Notice that there are two GatewayIpConfig entries and the EnableActiveActiveFeature flag is set. Creating a gateway can take a while (45 minutes or more to complete depending on the SKU selected).

New-AzVirtualNetworkGateway -Nombre $GWName1 -ResourceGroupName $RG1 -Ubicación $Ubicación1 -IpConfigurations $gw1ipconf1,$gw1ipconf2 -GatewayType Vpn -VpnType RouteBased -GatewaySku VpnGw1 -Asn $VNet1ASN -EnableActiveActiveFeature -Debug

3. Obtain the public IP address of the gateway and the IP address of the BGP peer

Once the gateway is created, you need to get the IP address of the BGP peer on the Azure VPN gateway. This address is required to configure Azure VPN Gateway as a BGP peer for your on-premises VPN devices.

$gw1pip1 = Get-AzPublicIpAddress -Name $GW1IPName1 -ResourceGroupName $RG1$gw1pip2 = Get-AzPublicIpAddress -Name $GW1IPName2 -ResourceGroupName $RG1$vnet1gw = Get-AzVirtualNetworkGateway -Name $GWName1 -ResourceGroupName $RG1

Use the following cmdlets to display the two public IP addresses assigned to your VPN gateway and their corresponding BGP peer IP addresses for each gateway instance:

PS D:\> $gw1pip1.IpAddress40.112.190.5PS D:\> $gw1pip2.IpAddress138.91.156.129PS D:\> $vnet1gw.BgpSettingsText{ "Asn": 65010, "BgpPeeringAddress": "10.12.255.4,10.12 .255.5", "Peso de pares": 0}

The order of the public IP addresses for the gateway instances and the corresponding BGP peering addresses are the same. In this example, the gateway VM with public IP 40.112.190.5 will use 10.12.255.4 as its BGP peering address and the gateway with 138.91.156.129 will use 10.12.255.5. This information is required when you configure your local VPN devices that connect to the active-active gateway. The gateway is shown in the following diagram with all addresses:

Once the gateway is created, you can use it to establish an active-active connection between facilities or one virtual network to another. The following sections explain the steps to complete the exercise.

Part 2 - Establishing an active-active connection between facilities

To establish a cross-premises connection, you must create an on-premises network gateway to represent your on-premises VPN device and a connection to connect the Azure VPN gateway to the on-premises network gateway. In this example, the Azure VPN gateway is in active-active mode. As a result, even if there is only one on-premises VPN device (local network gateway) and connection resource, both Azure VPN gateway instances will establish S2S VPN tunnels with the on-premises device.

Before continuing, make sure you have completedPart 1of this exercise.

Step 1: Create and configure the local network gateway

1. Declare your variables

This exercise will continue to build the configuration shown in the diagram. Be sure to replace the values ​​with whatever you want to use for your configuration.

$RG5 = "AARG5Test"$Location5 = "US West"$LNGName51 = "Site5_1"$LNGPrefix51 = "10.52.255.253/32"$LNGIP51 = "131.107.72.22"$LNGASN5 = 65050$BGPPeerIP51 = "10.52 .255.253"

A few things to keep in mind regarding the local network gateway parameters:

• The LAN gateway can be in the same or different location and resource group as the VPN gateway. This example shows them in different resource groups, but in the same Azure location.
• If there is only one local VPN device, as shown above, the active-active connection can work with or without the BGP protocol. This example uses BGP for the connection between sites.
• If BGP is enabled, the prefix you must declare for the local network gateway is the host address of your BGP peer's IP address on your VPN device. In this case, it is a /32 prefix of "10.52.255.253/32".
• As a reminder, you should use different BGP ASNs between your on-premises networks and the Azure virtual network. If they are the same, you will need to change your VNet ASN if your on-premises VPN device already uses the ASN to peer with other BGP neighbors.

2. Create the local network gateway for Site5

Before you continue, make sure you're still connected to Subscription 1. Create the resource group if it's not already created.

New-AzResourceGroup -Name $RG5 -Location $Location5New-AzLocalNetworkGateway -Name $LNGName51 -ResourceGroupName $RG5 -Location $Location5 -GatewayIpAddress $LNGIP51 -AddressPrefix $LNGPrefix51 -Asn $LNGASN5 -BgpPeeringAddress $BGPPeerIP51

Step 2: Connect the virtual network gateway and the local network gateway

1. Get both gateways

$vnet1gw = Get-AzVirtualNetworkGateway -Nombre $GWName1 -ResourceGroupName $RG1$lng5gw1 = Get-AzLocalNetworkGateway -Nombre $LNGName51 -ResourceGroupName $RG5

2. Create the TestVNet1 connection to Site5

In this step, you create the connection from TestVNet1 to Site5_1 with "EnableBGP" set to $True.

New-AzVirtualNetworkGatewayConnection -Name $Connection151 -ResourceGroupName $RG1 -VirtualNetworkGateway1 $vnet1gw -LocalNetworkGateway2 $lng5gw1 -Ubicación $Ubicación1 -ConnectionType IPsec -SharedKey 'AzureA1b2C3' -EnableBGP $True

3. VPN and BGP settings for your local VPN device

The following example lists the parameters that you will enter in the BGP configuration section on your local VPN device for this exercise:

- Site5 ASN: 65050 - Site5 BGP IP: 10.52.255.253 - Prefixes to advertise: (for example) 10.51.0.0/16 and 10.52.0.0/16 - Azure VNet ASN: 65010 - Azure VNet BGP IP 1: 10.12.255.4 tunnel to 40.112.190.5- Azure VNet BGP IP 2: 10.12.255.5 to tunnel to 138.91.156.129- Static Routes: Destination 10.12.255.4/32, VPN tunnel interface next hop to 40.112.190.5 Destination 10.12.255.5/32, next hop a VPN tunnel interface to 138.91.156.129-eBGP Multihop: Make sure the "multihop" option for eBGP is enabled on your device if necessary

The connection should be established after a few minutes and the BGP peering session will start once the IPsec connection is established. So far, this example has only configured a local VPN device, resulting in the diagram below:

Step 3 – Connect two on-premises VPN devices to the active-active VPN gateway

If you have two VPN devices on the same local network, you can achieve double redundancy by connecting the Azure VPN gateway to the second VPN device.

1. Create the second LAN gateway for Site5

The gateway IP address, address prefix, and BGP peering address for the second LAN gateway must not overlap with the previous LAN gateway for the same LAN.

$LNGName52 = "Sitio5_2"$LNGPrefix52 = "10.52.255.254/32"$LNGIP52 = "131.107.72.23"$BGPPeerIP52 = "10.52.255.254"

New-AzLocalNetworkGateway -Nombre $LNGName52 -ResourceGroupName $RG5 -Ubicación $Ubicación5 -GatewayIpAddress $LNGIP52 -AddressPrefix $LNGPrefix52 -Asn $LNGASN5 -BgpPeeringAddress $BGPPeerIP52

2. Connect the virtual network gateway and the second local network gateway

Create a connection from TestVNet1 to Site5_2 with "EnableBGP" set to $True

$lng5gw2 = Get-AzLocalNetworkGateway -Nombre $LNGName52 -ResourceGroupName $RG5

New-AzVirtualNetworkGatewayConnection -Name $Connection152 -ResourceGroupName $RG1 -VirtualNetworkGateway1 $vnet1gw -LocalNetworkGateway2 $lng5gw2 -Ubicación $Ubicación1 -ConnectionType IPsec -SharedKey 'AzureA1b2C3' -EnableBGP $True

3. VPN and BGP parameters for your second local VPN device

Also, here are the parameters that you will enter on the second VPN device:

- Site5 ASN: 65050 - Site5 BGP IP: 10.52.255.254 - Prefixes to advertise: (for example) 10.51.0.0/16 and 10.52.0.0/16 - Azure VNet ASN: 65010 - Azure VNet BGP IP 1: 10.12.255.4 tunnel to 40.112.190.5- Azure VNet BGP IP 2: 10.12.255.5 to tunnel to 138.91.156.129- Static Routes: Destination 10.12.255.4/32, VPN tunnel interface next hop to 40.112.190.5 Destination 10.12.255.5/32, next hop a VPN tunnel interface to 138.91.156.129-eBGP Multihop: Make sure the "multihop" option for eBGP is enabled on your device if necessary

Once the connection (tunnels) is established, you will have dual redundant VPN devices and tunnels connecting your on-premises network and Azure:

Part 3: Establish a virtual network-to-virtual network active-active connection

This section creates a virtual network-to-virtual network active-active connection with BGP.

The instructions below are a continuation of the previous steps listed above. you must completePart 1to create and configure TestVNet1 and VPN Gateway with BGP.

Step 1 – Create TestVNet2 and the VPN Gateway

It is important to ensure that the IP address space of the new virtual network, TestVNet2, does not overlap with any of your VNet ranges.

In this example, the virtual networks belong to the same subscription. You can configure virtual network-to-virtual network connections between different subscriptions; please consultConfigure a virtual network to virtual network connectionto know more details. Be sure to add "-EnableBgp $True" when creating connections to enable BGP.

1. Declare your variables

Be sure to replace the values ​​with whatever you want to use for your configuration.

$RG2 = "TestAARG2"$Location2 = "Leste dos EUA"$VNetName2 = "TestVNet2"$FESubName2 = "FrontEnd"$BESubName2 = "Backend"$GWSubName2 = "GatewaySubnet"$VNetPrefix21 = "10.21.0.0/16"$VNetPrefix22 = "10.22.0.0/16"$FESubPrefix2 = "10.21.0.0/24"$BESubPrefix2 = "10.22.0.0/24"$GWSubPrefix2 = "10.22.255.0/27"$VNet2ASN = 65020$DNS2 = "8.8.8.8" $ GWName2 = "VNet2GW"$GW2IPName1 = "VNet2GWIP1"$GW2IPconf1 = "gw2ipconf1"$GW2IPName2 = "VNet2GWIP2"$GW2IPconf2 = "gw2ipconf2"$Connection21 = "VNet2toVNet1"$Connection12 = "VNet1toVNet2"

2. Create TestVNet2 in the new resource group

New-AzResourceGroup -Name $RG2 -Location $Location2$fesub2 = New-AzVirtualNetworkSubnetConfig -Name $FESubName2 -AddressPrefix $FESubPrefix2$besub2 = New-AzVirtualNetworkSubnetConfig -Name $BESubName2 -AddressPrefix $BESubPrefix2$gwsub2 = New-AzVirtualNetworkSubnetConfig -Name $GWSubName2 - AddressPrefix $GWSubPrefix2New-AzVirtualNetwork -Name $VNetName2 -ResourceGroupName $RG2 -Location $Location2 -AddressPrefix $VNetPrefix21,$VNetPrefix22 -Subnet $fesub2,$besub2,$gwsub2

3. Create an active-active VPN gateway for TestVNet2

Request that two public IP addresses be assigned to the gateway that you will create for your virtual network. It will also configure the necessary subnet and IP settings.

$gw2pip1 = New-AzPublicIpAddress -Name $GW2IPName1 -ResourceGroupName $RG2 -Ubicación $Location2 -AllocationMethod Dynamic$gw2pip2 = New-AzPublicIpAddress -Name $GW2IPName2 -ResourceGroupName $RG2 -Ubicación $Location2 -AllocationMethod Dynamic$vnet2 = Get-AzVirtualNetwork -Name $VNetName2 -ResourceGroupName $RG2$subnet2 = Get-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet2$gw2ipconf1 = New-AzVirtualNetworkGatewayIpConfig -Name $GW2IPconf1 -Subnet $subnet2 -PublicIpAddress $gw2pip1$gw2ipconf2 = NewIP-AzVirtualGsubateway2 -NetworkGsubateway2 -SubnetworkGsubateway2 PublicIpAddress $gw2pip1$gw2ipconf2 = NewIP-AzVirtualNetworkGateway2 Sub-rede $subnet2 -PublicIpAddress $gw2pip2

Create a VPN gateway with the AS number and check "EnableActiveActiveFeature". Note that you must override the default ASN on your Azure VPN gateways. The ASNs for the connected virtual networks must be different to enable BGP and transit routing.

New-AzVirtualNetworkGateway -Name $GWName2 -ResourceGroupName $RG2 -Ubicación $Location2 -IpConfigurations $gw2ipconf1,$gw2ipconf2 -GatewayType Vpn -VpnType RouteBased -GatewaySku VpnGw1 -Asn $VNet2ASN -EnableActiveActiveFeature

Step 2 – Connect the TestVNet1 and TestVNet2 gateways

In this example, both gateways are in the same subscription. You can complete this step in the same PowerShell session.

1. Get both gateways

Make sure you sign in and connect to subscription 1.

$vnet1gw = Get-AzVirtualNetworkGateway -Nombre $GWName1 -ResourceGroupName $RG1$vnet2gw = Get-AzVirtualNetworkGateway -Nombre $GWName2 -ResourceGroupName $RG2

2. Create both connections

In this step, you will create the connection from TestVNet1 to TestVNet2 and the connection from TestVNet2 to TestVNet1.

New-AzVirtualNetworkGatewayConnection -Name $Connection12 -ResourceGroupName $RG1 -VirtualNetworkGateway1 $vnet1gw -VirtualNetworkGateway2 $vnet2gw -Ubicación $Ubicación1 -ConnectionType Vnet2Vnet -SharedKey 'AzureA1b2C3' -EnableBgp $TrueNew-AzVirtualNetworkGatewayConnection -Name $Connection21 $Gnetwork2GroupVirtual $Gnetwork2gway -ResourceGroup $ VirtualNetworkGateway2 $vnet1gw -Ubicación $Ubicación2 -ConnectionType Vnet2Vnet -SharedKey 'AzureA1b2C3' -EnableBgp $True

After completing these steps, the connection will be established in a few minutes and the BGP peering session will begin once the virtual network to virtual network connection is complete with double redundancy:

Upgrade an existing VPN gateway

When you change an active-standby gateway to active-active, you create another public IP address and add a second gateway IP configuration. This section helps you switch an existing Azure VPN gateway from active standby to active active mode or vice versa using PowerShell. You can also change a gateway in the Azure portal atsettingsfor your virtual network gateway.

Changing from an active-standby gateway to an active-active gateway

The following example converts an active-standby gateway to an active-active gateway.

1. Declare your variables

Replace the following parameters used for the examples with the settings you need for your own configuration, and then declare those variables.

$GWName = "TestVNetAA1GW" $VNetName = "TestVNetAA1" $RG = "TestVPNActiveActive01" $GWIPName2 = "gwpip2" $GWIPconf2 = "gw1ipconf2"

After declaring the variables, you can copy and paste this example into the PowerShell console.

$vnet = Get-AzVirtualNetwork -Name $VNetName -ResourceGroupName $RG$subnet = Get-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -VirtualNetwork $vnet$gw = Get-AzVirtualNetworkGateway -Name $GWName -ResourceGroupName $RG$ubicación = $gw.Ubicación

2. Create a public IP address and add a second gateway IP configuration

$gwpip2 = New-AzPublicIpAddress -Name $GWIPName2 -ResourceGroupName $RG -Location $ubicación -AllocationMethod DynamicAdd-AzVirtualNetworkGatewayIpConfig -VirtualNetworkGateway $gw -Name $GWIPconf2 -Subnet $subnet -PublicIpAddress $gwpip2

3. Enable active-active mode and update the gateway

In this step, you will enable active-active mode and update the gateway. In the example, the VPN gateway currently uses a legacy default SKU. However, active-active does not support the default SKU. To reduce the legacy SKU to a supported one (in this case, HighPerformance), simply specify the legacy SKU you want to use.

• You cannot change a legacy SKU to one of the new SKUs using this step. You can only downsize a legacy SKU to another supported legacy SKU. For example, you cannot change the SKU from Standard to VpnGw1 (even though VpnGw1 supports active-active) because Standard is a legacy SKU and VpnGw1 is a current SKU. For more information on resizing and migrating SKUs, seeGateway SKU.

• If you want to resize a current SKU, for example VpnGw1 to VpnGw3, you can do so using this step because the SKUs are in the same SKU family. To do this, you would use the value:-GatewaySku VpnGw3

When you use this in your environment, if you don't need to change the size of the gateway, you don't need to specify -GatewaySku. Note that in this step you must define the gateway object in PowerShell to trigger the actual update. This update can take 30-45 minutes, even if you don't change the size of the gateway.

Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw -EnableActiveActiveFeature -GatewaySku Alto rendimiento

Change an active-active gateway to an active-standby gateway

1. Declare your variables

Replace the following parameters used for the examples with the settings you need for your own configuration, and then declare those variables.

$GWName = "TestVNetAA1GW"$RG = "TestVPNActiveActive01"

After declaring the variables, get the name of the IP configuration you want to delete.

$gw = Get-AzVirtualNetworkGateway -Name $GWName -ResourceGroupName $RG$ipconfname = $gw.IpConfigurations[1].Name

2. Delete the IP configuration of the gateway and deactivate the active-active mode

Use this example to remove the IP configuration of the gateway and disable active-active mode. Note that you must define the gateway object in PowerShell to trigger the actual update.

Remove-AzVirtualNetworkGatewayIpConfig -Name $ipconfname -VirtualNetworkGateway $gwSet-AzVirtualNetworkGateway -VirtualNetworkGateway $gw -DisableActiveActiveFeature

This update can take 30-45 minutes.

Next steps

Once your connection is complete, you can add virtual machines to your virtual networks. To seeCreate a virtual machinefor steps.