Configuring a Second VPN Tunnel on Firewall for Azure Environment

Afram Vannessa 0

I have added a second ISP in my network and need to create a second VPN tunnel on the firewall for the Azure environment. How can this be done? Additionally, I do not have the password, and will there be any charges incurred on Azure for this setup?

Ganesh Patapati 2,590 Reputation points Microsoft Vendor

2024-12-11T18:11:19.9566667+00:00
Hi Afram Vannessa

Greetings!

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I require some details:

Which type of firewall are you using? Is it an Azure firewall or an on-premises firewall?

Which password are you referring to? Please clarify.

You can use multiple VPN devices from your on-premises network to connect to your Azure VPN gateway, as shown in the following diagram:

You need to create multiple S2S VPN connections from your VPN devices to Azure. When you connect multiple VPN devices from the same on-premises network to Azure, create one local network gateway for each VPN device, and one connection from your Azure VPN gateway to each local network gateway.

The local network gateways corresponding to your VPN devices must have unique public IP addresses in the "GatewayIpAddress" property.

BGP is required for this configuration. Each local network gateway representing a VPN device must have a unique BGP peer IP address specified in the "BgpPeerIpAddress" property.

Use BGP to advertise the same prefixes of the same on-premises network prefixes to your Azure VPN gateway. The traffic is forwarded through these tunnels simultaneously.

You must use Equal-cost multi-path routing (ECMP).

Each connection is counted against the maximum number of tunnels for your Azure VPN gateway. See the VPN Gateway settings page for the latest information about tunnels, connections, and throughput.

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable

Refer: https://learn.microsoft.com/en-us/answers/questions/1194479/multiple-s2s-vpn-tunnels-between-one-azure-vpn-gat

Charges Incurred on Azure

Setting up a virtual network is free of charge. However, we do charge for the VPN gateway that connects to on-premises and other virtual networks in Azure. This charge is based on the amount of time that gateway is provisioned and available.

Refer: https://azure.microsoft.com/en-in/pricing/details/vpn-gateway/

NOTE: There may also be charges for data transfer over the VPN connections, depending on the amount of data sent and received.

Hope this clarifies!

If above is unclear and/or you are unsure about something add a comment below.

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Regards,

Ganesh
Ganesh Patapati 2,590 Reputation points Microsoft Vendor

2024-12-12T16:34:03.5066667+00:00

Hello Afram Vannessa

Any update on this post?

Thanks, Ganesh
Afram Vannessa 0 Reputation points

2024-12-12T17:12:16.1066667+00:00

Thanks,

Actually, the servers are in Azure as well -Domain controller, file server, etc.

The firewall is located in the office LAN, and it is a Fortigate.

The Preshared - key/Authentication Key is related to the Connection (VPN Connection) I believe this is setup per connection, because it is defined by each Local Network Gateway.

About the price? I see in the invoice there is fee for Leasing the IP address and another for Networking/VPN Gateway Basic.

Thanks
Ganesh Patapati 2,590 Reputation points Microsoft Vendor

2024-12-16T17:30:27.6233333+00:00

Hello Afram Vannessa

Any update on this post?

Thanks, Ganesh

1 answer

Ganesh Patapati 2,590 Reputation points Microsoft Vendor

2024-12-13T19:17:10.9166667+00:00
Hello Afram Vannessa

We appreciate your patience!

As previously mentioned, you can create a second VPN tunnel on the firewall for the Azure environment, based on your supported firewall configuration.

Validated VPN devices and device configuration guides

In partnership with device vendors, we have validated a set of standard VPN devices. All of the devices in the device families in the following list should work with VPN gateways. These are the recommended algorithms for your device configuration.

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices#devicetable

Please review your firewall settings to ensure they align with the configurations outlined in the document.

Pre-Shared Key

The pre shared key is unique to each VPN connection and is configured in the Local Network Gateway settings in Azure. If you do not have the PSK, you can create a new one in the Azure portal when establishing the connection. Ensure that the Fortigate configuration is updated with the new PSK.

Q. About the price? I see in the invoice there is fee for Leasing the IP address and another for Networking/VPN Gateway Basic.

VPN Gateway Charges:

The cost for the VPN Gateway is based on the SKU you choose (e.g., Basic, VpnGw1, etc.). The Basic SKU is typically the least expensive option, but it will be retiring in 2025, I recommend updating it to the standard.

Leasing IP Address:

All Instance level public IP addresses are charged depending on what type of IP address you use:

More information here:

Public IP Address pricing

https://azure.microsoft.com/en-us/pricing/details/ip-addresses

Hope this clarifies!

If above is unclear and/or you are unsure about something add a comment below.

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Regards,

Ganesh
Please sign in to rate this answer.
Ganesh Patapati 2,590 Reputation points Microsoft Vendor

2024-12-17T17:04:19.7333333+00:00

Hello Afram Vannessa

Any update on this post?

If above is unclear and/or you are unsure about something add a comment below.

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Thanks, Ganesh
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Configuring a Second VPN Tunnel on Firewall for Azure Environment

1 answer

Your answer