Use Active-Active VPN gateways

Reliability · Virtual Network Gateway · Rule · 2020_06 · Important

Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime.

Description

VPN Gateways can be configured as either Active-Passive or Active-Active for Site-to-Site (S2S) connections. When deploying VPN gateways, Azure deploys two instances for high-availability (HA).

When using an Active-Passive configuration, one instance is designated a standby for failover.

Gateways configured to use an Active-Active configuration:

• Establish two IPSEC tunnels, one from each instance per connection.
• Each instance will load balance network traffic.

Recommendation

Consider using Active-Active VPN gateways to reduce connectivity downtime during HA failover.

Examples

Configure with Azure template

To configure VPN gateways that pass this rule:

• Set properties.activeActive to true.

For example:

Azure Template snippet

{
  "type": "Microsoft.Network/virtualNetworkGateways",
  "apiVersion": "2023-11-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "gatewayType": "Vpn",
    "ipConfigurations": [
      {
        "name": "default",
        "properties": {
          "privateIPAllocationMethod": "Dynamic",
          "subnet": {
            "id": "[parameters('subnetId')]"
          },
          "publicIPAddress": {
            "id": "[parameters('pipId')]"
          }
        }
      }
    ],
    "activeActive": true,
    "vpnType": "RouteBased",
    "vpnGatewayGeneration": "Generation2",
    "sku": {
      "name": "VpnGw1AZ",
      "tier": "VpnGw1AZ"
    }
  }
}

Configure with Bicep

To configure VPN gateways that pass this rule:

• Set properties.activeActive to true.

For example:

Azure Bicep snippet

resource vng 'Microsoft.Network/virtualNetworkGateways@2023-11-01' = {
  name: name
  location: location
  properties: {
    gatewayType: 'Vpn'
    ipConfigurations: [
      {
        name: 'default'
        properties: {
          privateIPAllocationMethod: 'Dynamic'
          subnet: {
            id: subnetId
          }
          publicIPAddress: {
            id: pipId
          }
        }
      }
    ]
    activeActive: true
    vpnType: 'RouteBased'
    vpnGatewayGeneration: 'Generation2'
    sku: {
      name: 'VpnGw1AZ'
      tier: 'VpnGw1AZ'
    }
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/network/virtual-network-gateway:<version>

To use the latest version:

br/public:avm/res/network/virtual-network-gateway:0.6.1

---

• What is Azure Verified Modules?
• Usage and parameters for this module

Notes

Azure provisions a single instance for Basic (legacy) VPN gateways. As a result, Basic VPN gateways do not support Active-Active connections. To use Active-Active VPN connections, migrate to a gateway configured as VpnGw1 or higher SKU.

Links

• RE:05 Redundancy
• Highly Available Cross-Premises and VNet-to-VNet Connectivity
• Update an existing VPN gateway
• Azure deployment reference

Comments