Forum Discussion
VPN Gateway - BGP AS PATH - Steer which VPN tunnel traffic will flow form Azure to OnPrem
Can anyone confirm whether in the topology that Microsoft calls "Active-active VPN gateways" we can steer which VPN tunnel is utilized using AS PATH? Or is it by definition active/active, meaning we can't avoid utilizing both tunnels simultaneously and probably we have to deal with asymetric routing?
MS article about different topologies:
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable#activeactiveonprem
My findings:
Because the Azure gateway instances are in active-active configuration, the traffic from your Azure virtual network to your on-premises network will be routed through both tunnels simultaneously, even if your on-premises VPN device might favor one tunnel over the other.
However, according to the Microsoft FAQ about BGP:
Yes, Azure VPN gateway honors AS Path prepending to help make routing decisions when BGP is enabled. A shorter AS Path is preferred in BGP path selection.
2 Replies
If the primary tunnel becomes unavailable traffic should automatically fail over to the secondary tunnel to ensure uninterrupted connectivity.
In our setup, the VPN gateway is configured in active-active mode. However during failover testing when the primary tunnel is brought down, the traffic does not switch to the secondary tunnel as expected. Additionally the BGP peer remains in a Connecting state which prevents the establishment of a stable connection over the secondary path
please give any suggestions on it ???Your findings are correct. Configuring AS-path on the on-premise will give priority to one tunnel over the other (I.e primary, secondary). And if maintenance is done on the Azure gateway and the primary tunnel is done then traffic will be routed to the secondary tunnel.
