Forum Discussion

Rajtoor's avatar
Rajtoor
Copper Contributor
Aug 23, 2022

Backup Virtual Network Gateway - site to site

We have two ISP connections wired and wireless. Wireless is only used when wired goes down for both incoming and outgoing traffic. All our locations form 2 IPSEC tunnels across each connection separa...
Networking
virtual network
KurtBMayer's avatar
KurtBMayer
Steel Contributor
Aug 23, 2022

Rajtoor 

 

There can be multiple S2S connections to a Virtual Network Gateway in Azure. But it would depend on how traffic is routed.

 

If using a hardware firewall with the S2S tunnel as the on-prem endpoint, the firewall itself would need to know to choose the wireless route as its next hop once the old route is retracted, such as via BGP or dual-WAN.

 

Another way is to use a Windows Server as the S2S endpoint via the RRAS role. This box could be connected to your Wireless segment, for example, where it could be listed as a gateway route for the defined network traffic on that subnet.

 

Please like or mark this thread as answered if it's helpful, thanks! 

  • Rajtoor's avatar
    Rajtoor
    Copper Contributor
    Aug 23, 2022
    KurtBMayer I have no problem selecting which route to take wired or wireless on the physical firewall, when there both are available or only on of the two(wired/wireless) is available.

    I am thinking from the perspective of Azure. When same routes are being advertised on both tunnels,

    When both links are available -
    Will it load balance / round robin ? We don't want it to.
    How can I make Azure prefer wired tunnel, when both tunnels are up?

    When one link is available -
    When wired goes down how can I make Azure switch traffic over to wireless tunnel?
    How much time does it take to notice tunnel is down and switch traffic to other tunnel?

    • tommykneetz's avatar
      tommykneetz
      Iron Contributor
      Aug 24, 2022
      "Because the Azure gateway instances are in active-active configuration, the traffic from your Azure virtual network to your on-premises network will be routed through both tunnels simultaneously, even if your on-premises VPN device may favor one tunnel over the other. For a single TCP or UDP flow, Azure attempts to use the same tunnel when sending packets to your on-premises network. However, your on-premises network could use a different tunnel to send packets to Azure."

      https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable#active-active-vpn-gateways

Resources