VPN Gateway
The presented resiliency recommendations in this guidance include VPN Gateway and associated VPN Gateway settings.
Summary of Recommendations
The below table shows the list of resiliency recommendations for VPN Gateway and associated resources.
| Recommendation | Category | Impact | State | ARG Query Available |
|---|---|---|---|---|
| VPNG-1 - Choose a Zone-redundant gateway | Availability | High | Preview | Yes |
| VPNG-2 - Plan for Active-Active mode | Availability | High | Preview | Yes |
| VPNG-4 - Deploy active-active VPN concentrators on your premises for maximum resiliency | Availability | High | Preview | No |
| VPNG-5 - Monitor connections and gateway health | Monitoring | Medium | Preview | No |
| VPNG-6 - Enable service health | Monitoring | Medium | Preview | No |
| VPNG-7 - Deploy zone-redundant VPN Gateways with zone-redundant Public IP(s) | Availability | Medium | Preview | Yes |
Recommendations Details
VPNG-1 - Choose a Zone-redundant gateway
Category: Availability
Impact: High
Guidance
Azure VPN gateway provides different SLAs when it’s deployed in a single availability zone and when it’s deployed in two availability zones. To automatically deploy your virtual network gateways across availability zones, you can use zone-redundant virtual network gateways. With zone-redundant gateways, you can benefit from zone-resiliency to access your mission-critical, scalable services on Azure.
Resources
- Zone redundant Virtual network gateway in availability zone
- Gateway SKU
- SLA summary for Azure services.
Resource Graph Query
// Azure Resource Graph Query
// For all VNGs of type Vpn, show any that do not have AZ in the SKU tier
resources
| where type =~ "Microsoft.Network/virtualNetworkGateways"
| where properties.gatewayType == "Vpn"
| where properties.sku.tier !contains 'AZ'
| project recommendationId = "vpng-1", name, id, tags, param1= strcat("sku-tier: " , properties.sku.tier), param2=location
| order by id asc
VPNG-2 - Plan for Active-Active mode
Category: Availability
Impact: High
Guidance
The active-active mode is available for all SKUs except Basic. Active-active gateways have two Gateway IP configurations and two public IP addresses.
Resources
Resource Graph Query
resources
| where type =~ 'Microsoft.Network/virtualNetworkGateways'
| where properties.gatewayType =~ "vpn"
| extend gatewayType = properties.gatewayType, vpnType = properties.vpnType, connections = properties.connections, activeactive=properties.activeActive
| where activeactive == false
| project recommendationId = "vpng-2", name, id, tags
VPNG-4 - Deploy active-active VPN concentrators on your premises for maximum resiliency
Category: Availability
Impact: High
Guidance
By deploying active-active VPN concentrators on your premises, along with active-active Azure VPN Gateways, you can maximize resilience and availability by using a fully-meshed topology based on four IPSec tunnels.
Resources
Resource Graph Query
// under-development
VPNG-5 - Monitor connections and gateway health
Category: Monitoring
Impact: Medium
Guidance
Set up monitoring and alerts for Virtual Network Gateway health based on various metrics available.
Resources
Resource Graph Query
// under-development
VPNG-6 - Enable service health
Category: Monitoring
Impact: Medium
Guidance
VPN Gateway uses service health to notify about planned and unplanned maintenance. Configuring service health will notify you about changes made to your VPN connectivity.
Resources
Resource Graph Query
// under-development
VPNG-7 - Deploy zone-redundant VPN Gateways with zone-redundant Public IP(s)
Category: Availability
Impact: High
Guidance
When using zone-redundant SKUs for VPN Gateways (VpnGw*AZ), make sure that you associate your gateway with zone-redundant Standard SKU public IP addresses. If a VPN gateway is associated with zonal Standard SKU public IP addresses, all the gateway instances are deployed in the same zone as the IP address(es). This recommendation applies to both active-passive gateways (which use a single public IP address) and active-active VPN gateways (which use two public IP addresses).
Resources
Resource Graph Query
// Azure Resource Graph Query
// Provides a list of zone-redundant Azure VPN gateways associated with non-zone-redundant Public IPs
resources
| where type =~ "Microsoft.Network/virtualNetworkGateways"
| where properties.gatewayType == "Vpn"
| where properties.sku.tier contains 'AZ'
| mv-expand ipconfig = properties.ipConfigurations
| extend pipId = tostring(ipconfig.properties.publicIPAddress.id)
| join kind=inner (
resources
| where type == "microsoft.network/publicipaddresses"
| where isnull(zones) or array_length(zones) < 3 )
on $left.pipId == $right.id
| project recommendationId = "vpng-7", name, id, tags, param1 = strcat("PublicIpAddressName: ", name1), param2 = strcat ("PublicIpAddressId: ",id1), param3 = strcat ("PublicIpAddressTags: ",tags1)