Share via

VPN Gateway Active-Active

Handian Sudianto 5,776 Reputation points
2025-03-01T15:01:07.15+00:00

I have some queries about the VPN gateway and need help here.

  • I have VPN Gateway use active-active mode disabled. With this mode my onprem can talk with the vnet. and BGP is connected. When i try change set active-active mode to enable why the existing BGP is changed from connected to connecting so my onprem can't reach to the vnet?
  • I also have another VPN gateway with no BGP enabled on the VPN Gateway, Connection and Local Network Gateway. Currently i have 6 connection and all is connected. Now i want to enable the BGP for 2 connection, this mean i must enable the BGP on VPN Gateway side. When i enable the BGP in VPN gateway and enable BGP for 2 connection and 2 local network gateway, will existing 4 connection will not impacted (all existing 4 connection still connected)?
Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,675 questions
0 comments
Accepted answer
  1. Marcin Policht 38,000 Reputation points MVP
    2025-03-01T15:32:26.2333333+00:00

    When you enable Active-Active mode on an Azure VPN Gateway, the gateway transitions from a single public IP with one active instance to two active instances, each with its own public IP. This change disrupts the existing BGP session because your on-premises router needs to recognize the new setup and establish BGP peering with both instances. The existing BGP connection moves from "Connected" to "Connecting" because your on-premises router may still be trying to establish a session with the old single-instance setup. To fix this, ensure your on-premises router is configured to support two BGP peers (one for each gateway instance) and update your VPN device to establish connections with both IPs of the active-active setup.

    For your second scenario, enabling BGP on the VPN Gateway and selectively enabling it for two out of six connections should not impact the existing four non-BGP connections. Azure allows BGP and non-BGP connections to coexist on the same VPN Gateway. However, once BGP is enabled, the two BGP-enabled connections will begin exchanging dynamic routes, while the remaining four connections will continue using static routes. Ensure that your routing policies do not unintentionally override static routes with BGP-learned routes, which could affect traffic flow.

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.