cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Backup Virtual Network Gateway - site to site

Rajtoor
Copper Contributor

‎Aug 23 2022 09:31 AM

‎Aug 23 2022 09:31 AM

Backup Virtual Network Gateway - site to site

We have two ISP connections wired and wireless. Wireless is only used when wired goes down for both incoming and outgoing traffic. All our locations form 2 IPSEC tunnels across each connection separately. On failure traffic would shift from wired to wireless on Hub site and on remote site traffic is routed over tunnel formed over wireless connection. This happens using monitor attached to the static route which senses remote wired connection failed and removes the route from its routing table. And the next best is the wireless route determined by assigned Administrative Distance.

 

How can we achieve same/similar function with Azure Virtual Network Gateway Site to Site connections. When ever wired goes down we lose connectivity with Azure. We want the second tunnel to take over only after first has failed.

Labels:
2,184 Views
0 Likes
3 Replies
Reply
3 Replies
Kurt Mayer

‎Aug 23 2022 11:28 AM

‎Aug 23 2022 11:28 AM

Re: Backup Virtual Network Gateway - site to site

@Rajtoor 

 

There can be multiple S2S connections to a Virtual Network Gateway in Azure. But it would depend on how traffic is routed.

 

If using a hardware firewall with the S2S tunnel as the on-prem endpoint, the firewall itself would need to know to choose the wireless route as its next hop once the old route is retracted, such as via BGP or dual-WAN.

 

Another way is to use a Windows Server as the S2S endpoint via the RRAS role. This box could be connected to your Wireless segment, for example, where it could be listed as a gateway route for the defined network traffic on that subnet.

 

Please like or mark this thread as answered if it's helpful, thanks! 

0 Likes
Reply
Rajtoor

‎Aug 23 2022 01:10 PM

‎Aug 23 2022 01:10 PM

Re: Backup Virtual Network Gateway - site to site

@Kurt Mayer I have no problem selecting which route to take wired or wireless on the physical firewall, when there both are available or only on of the two(wired/wireless) is available.

I am thinking from the perspective of Azure. When same routes are being advertised on both tunnels,

When both links are available -
Will it load balance / round robin ? We don't want it to.
How can I make Azure prefer wired tunnel, when both tunnels are up?

When one link is available -
When wired goes down how can I make Azure switch traffic over to wireless tunnel?
How much time does it take to notice tunnel is down and switch traffic to other tunnel?

0 Likes
Reply
tommykneetz

‎Aug 23 2022 11:25 PM

‎Aug 23 2022 11:25 PM

Re: Backup Virtual Network Gateway - site to site

"Because the Azure gateway instances are in active-active configuration, the traffic from your Azure virtual network to your on-premises network will be routed through both tunnels simultaneously, even if your on-premises VPN device may favor one tunnel over the other. For a single TCP or UDP flow, Azure attempts to use the same tunnel when sending packets to your on-premises network. However, your on-premises network could use a different tunnel to send packets to Azure."

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable#active-active-vpn-gat...
0 Likes
Reply