I have a few questions related to Azure VPN Gateway services, and I would appreciate your guidance on the following matters: Migration to AZ VPN Gateways: I have heard that in 2025 there are plans to transition all standard VPN Gateways to AZ VPN Gateways. My current gateway is using a non-zonal public IP address, while AZ VPN Gateways require zonal public IPs. How will this migration be handled? Will the public IP address associated with my gateway automatically migrate to a zonal IP, or will a new IP be assigned? If a new public IP is issued, how will it affect existing VPN tunnels? My current tunnels are reliant on the existing public IP, and changes to it would pose significant challenges. Active-Active VPN Tunnel and Pricing: When creating a connection in Active-Active mode, two Site-to-Site (S2S) tunnels are automatically created within a single connection. In the context of VPN Gateway pricing, where up to 10 tunnels are included for free, does an Active-Active VPN connection count as one tunnel or two tunnels in that 10 tunnels pricing? BGP Connections and Primary Link Selection: In scenarios where I have multiple on-premises sites (e.g., a primary site and a DR site) connected to Azure via VPN tunnels, both announcing the same subnets using BGP: Is there a way to designate one link (e.g., the primary site) as the preferred path for all traffic and have Azure use the secondary (DR site) link only if the primary link fails? If Azure learns the same subnets from both sites, does it attempt to load balance the traffic across both links? If so, how can this behavior be adjusted to ensure all traffic is directed only through the primary link under normal circumstances?

@Nikoloz Jibgashvili , Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well. 1 . Migration to AZ VPN Gateways: Refer : What actions do I need to take? There are no actions that you need to take. If your gateway currently uses one of the SKUs listed in previous section, we'll migrate the gateway for you. When we perform the migration, the migration is seamless. There's no downtime expected . You'll be notified in advance about migration for your gateway. Since the doc informs there shouldn't be any downtime expected, the IP should remain the same 2 . Active-Active VPN Tunnel and Pricing: This is considered to be 2 tunnels. 3 . BGP Connections and Primary Link Selection: See : Active-active mode design In an active-active configuration, Azure routes traffic from your virtual network to your on-premises network through both tunnels simultaneously. For a single TCP or UDP flow, Azure attempts to use the same tunnel when sending packets to your on-premises network. However, your on-premises network might use a different tunnel to send packets back to Azure. There are two ways you can employ to prefer one connection over the other AS PATH prepending You advertise both of the prefixes on both the tunnels, and in addition you add a AS Path prefix to the secondary connection NOTE : The route with a shorter AS Path is preferred. or Advertise a more specific route via Primary tunnel Say your OnPrem range is 10.1.1.0/24, In the secondary tunnel advertise 10.1.0.0/16 and in Primary tunnel advertise 10.1.1.0/24 Azure will prefer the more specific path, see : How Azure selects a route Kindly let us know if this helps or you need further assistance on this issue. Thanks, Kapil Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Questions Regarding Azure VPN Gateway Migration, Pricing, and Configuration

Accepted answer

KapilAnanth-MSFT 48,081 Reputation points Microsoft Employee

2024-12-18T09:43:08.8466667+00:00
@Nikoloz Jibgashvili ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

1 . Migration to AZ VPN Gateways:

Refer : What actions do I need to take?

There are no actions that you need to take. If your gateway currently uses one of the SKUs listed in previous section, we'll migrate the gateway for you. When we perform the migration, the migration is seamless. There's no downtime expected. You'll be notified in advance about migration for your gateway.

Since the doc informs there shouldn't be any downtime expected, the IP should remain the same

2 . Active-Active VPN Tunnel and Pricing:

This is considered to be 2 tunnels.

3 . BGP Connections and Primary Link Selection:

See : Active-active mode design

In an active-active configuration, Azure routes traffic from your virtual network to your on-premises network through both tunnels simultaneously. For a single TCP or UDP flow, Azure attempts to use the same tunnel when sending packets to your on-premises network. However, your on-premises network might use a different tunnel to send packets back to Azure.

There are two ways you can employ to prefer one connection over the other

AS PATH prepending

You advertise both of the prefixes on both the tunnels, and in addition you add a AS Path prefix to the secondary connection

NOTE : The route with a shorter AS Path is preferred.

or Advertise a more specific route via Primary tunnel

Say your OnPrem range is 10.1.1.0/24,

In the secondary tunnel advertise 10.1.0.0/16 and in Primary tunnel advertise 10.1.1.0/24

Azure will prefer the more specific path, see : How Azure selects a route

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Please sign in to rate this answer.
Nikoloz Jibgashvili 20 Reputation points

2024-12-18T10:34:36.2666667+00:00

@KapilAnanth-MSFT

Thank you, i would like to elaborate on my first question, Right now i use is VpnGw1 and for Public IP I use Standard Static one with no zone, So after migration both Gateway and Public IP will migrate seamlessly right? without any changes to The IP address and etc.

KapilAnanth-MSFT 48,081 Reputation points Microsoft Employee

2024-12-18T11:38:41.5366667+00:00

@Nikoloz Jibgashvili , Correct.

You must also note that We are updating Standard non-zonal IPs to be zone-redundant by default on a region by region basis.

Refer : Azure Public IP Addresses Availability Zones

So by the time the VPN Gateway is about to be migrated to AZ SKUs, the PIP should have already become zone-redundant by default.

More information on : Azure Public IPs are now zone-redundant by default

Thanks,

Kapil

Please Accept an answer if correct.

Original posters help the community find answers faster by identifying the correct answer.

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Nikoloz Jibgashvili 20 Reputation points

2024-12-18T12:09:25.94+00:00

@KapilAnanth-MSFT

Thank you for your answer, I have one more question Regarding BGP Peership

I am currently using an Active-Passive setup with BGP, and I noticed that Azure generates a single BGP IP for peering. On my on-premises router, I have two Internet Service Providers (ISPs) and plan to build two tunnels using different public IPs as sources.

However, I am uncertain about how to manage BGP peering through both tunnels, given that Azure provides only one BGP IP by default. It doesn’t seem feasible to route the single BGP IP through both tunnels effectively. Additionally, static load balancing may not be a suitable solution due to potential issues.

Could you please advise on the best approach to ensure BGP peering remains up and operational across both tunnels in this scenario?

Is there perhaps way to configure Azure to generate a second BGP IP for redundancy, or are there alternative methods to handle this?

KapilAnanth-MSFT 48,081 Reputation points Microsoft Employee

2024-12-18T12:50:54.2133333+00:00

@Nikoloz Jibgashvili , Glad we could be of service.

Wrt "I am currently using an Active-Passive setup with BGP, and I noticed that Azure generates a single BGP IP for peering."

This is expected

Azure has only one active instance and thus we get only one BGP IP.

I am not sure on the configuration part of the 3rd party VPN device.

However, this should be doable.

Say you have two OnPrem BGP IPs 1.1.1.1 and 2.2.2.2, each with their own Public IP

You have to create 2 LNGs in Azure and use the "IP address" and "BGP peer IP address" to differentiate between the two OnPrem sites.

i.e., LNG1's BGP peer IP address becomes 1.1.1.1 and LNG2's BGP peer IP address becomes 2.2.2.2

Technically, you got two tunnels with different pair of BGP Peer IPs (non overlapping)

Azure BGP IP <----> 1.1.1.1

Azure BGP IP <----> 2.2.2.2

More information on

Configure BGP on On-premises S2S connections

What address does Azure VPN Gateway use for BGP peer IP?

Wrt, "It doesn’t seem feasible to route the single BGP IP through both tunnels effectively. Additionally, static load balancing may not be a suitable solution due to potential issues."

Correct

Load Balancing traffic across the two tunnels is not recommended

Consider using AS PATH prepending or advertising a more specific route via Primary Tunnel

For configurations related to the device side, please reach out to the device vendor to get clarity on how to set up 2 BGP IP Addresses, AS Path prefix and advertising a specific route over one BGP Tunnel.

Cheers,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Nikoloz Jibgashvili 20 Reputation points

2024-12-18T13:19:12.9366667+00:00

@KapilAnanth-MSFT

Yes I can Differentiate from azure side, but the problem is from my On premise side, Because Azure BGP IP is only one, I can't make simultaneous BGP peership from my On-premise, Lets say On my on-premises side, I have two BGP IPs: 1.1.1.1 (for Tunnel 1) and 2.2.2.2 (for Tunnel 2). However, Azure provides only one BGP IP (3.3.3.3), which makes it challenging to configure separate BGP peerings through both tunnels.

To achieve simultaneous BGP peering, I would ideally need a second BGP IP from Azure. For instance:

BGP Peering 1: 1.1.1.1 (on-prem) - 3.3.3.3 (Azure)

BGP Peering 2: 2.2.2.2 (on-prem) - 4.4.4.4 (a second Azure BGP IP)

Alternatively, I noticed that Azure supports APIPA (Automatic Private IP Addressing) for BGP configurations. Could APIPA addresses help address this issue or provide a workaround for establishing dual BGP peerings? If so, how can I implement this configuration in Azure?

KapilAnanth-MSFT 48,081 Reputation points Microsoft Employee

2024-12-18T14:25:28.0866667+00:00

@Nikoloz Jibgashvili ,

If you'd like to have a second BGP IP Address, you have to enable Active-Active.

This will lead to full mesh connectivity of four IPsec tunnels between your Azure virtual network and your on-premises network

Each instance of the VPN Gateway will have it's own Public IP and a BGP IP Address as well.

So, the effective tunnels are as follows (assuming 3.3.3.3 and 4.4.4.4 as Azure BGP IP Addresses)

1.1.1.1 (on-prem1) - 3.3.3.3 (Azure1)

1.1.1.1 (on-prem1) - 4.4.4.4 (Azure2)

2.2.2.2 (on-prem2) - 3.3.3.3 (Azure1)

2.2.2.2 (on-prem2) - 4.4.4.4 (Azure2)

This topology requires two local network gateways and two connections to support the pair of on-premises VPN devices.

In this case, "2" and "3" will never establish as you never defined BGP peering for them.

i.e., The tunnels will always be down.

Wrt APIPA, you can find all the information here

You can try to establish BGP Peering to APIPA IPs provided your OnPrem device supports it

NOTE : When APIPA addresses are used on VPN gateways, the gateways do not initiate BGP peering sessions with APIPA source IP addresses. The on-premises VPN device must initiate BGP peering connections.

P.S :

Having 4 tunnels established and keeping 2 of them in non connected state is not recommended.

I suggest you check with your vendor on how to establish BGP peering from one OnPrem BGP IP to multiple remote(Azure) BGP Peer IP Addresses.

Hope this helps.

Cheers,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Nikoloz Jibgashvili 20 Reputation points

2024-12-18T17:37:19.1866667+00:00

Thanks for your help
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Questions Regarding Azure VPN Gateway Migration, Pricing, and Configuration

0 additional answers

Your answer