Skip to content

Use Active-Active VPN gateways#

Reliability · Virtual Network Gateway · Rule · 2020_06

Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime.


VPN Gateways can be configured as either Active-Passive or Active-Active for Site-to-Site (S2S) connections. When deploying VPN gateways, Azure deploys two instances for high-availability (HA).

When using an Active-Passive configuration, one instance is designated a standby for failover.

Gateways configured to use an Active-Active configuration:

  • Establish two IPSEC tunnels, one from each instance per connection.
  • Each instance will load balance network traffic.


Consider using Active-Active VPN gateways to reduce connectivity downtime during HA failover.


Azure provisions a single instance for Basic (legacy) VPN gateways. As a result, Basic VPN gateways do not support Active-Active connections. To use Active-Active VPN connections, migrate to a gateway configured as VpnGw1 or higher SKU.