Use Active-Active VPN gateways

Reliability · Virtual Network Gateway · Rule · 2020_06 · Important

Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime.

Description

VPN Gateways can be configured as either Active-Passive or Active-Active for Site-to-Site (S2S) connections. When deploying VPN gateways, Azure deploys two instances for high-availability (HA).

When using an Active-Passive configuration, one instance is designated a standby for failover.

Gateways configured to use an Active-Active configuration:

• Establish two IPSEC tunnels, one from each instance per connection.
• Each instance will load balance network traffic.

Recommendation

Consider using Active-Active VPN gateways to reduce connectivity downtime during HA failover.

Notes

Azure provisions a single instance for Basic (legacy) VPN gateways. As a result, Basic VPN gateways do not support Active-Active connections. To use Active-Active VPN connections, migrate to a gateway configured as VpnGw1 or higher SKU.

Links

• RE:05 Redundancy
• Highly Available Cross-Premises and VNet-to-VNet Connectivity
• Update an existing VPN gateway
• Azure deployment reference

Comments