Site-to-Site VPN with active-active VPN Gateways with BGP

Azure Public Test Date Azure Public Test Result

Azure US Gov Last Test Date Azure US Gov Last Test Result

Best Practice Check Cred Scan Check

Bicep Version

Deploy To Azure Visualize

This template creates two Site-to-Site VPN tunnels between two Azure Virtual Networks. In each Azure VNet is deployed an Azure VPN Gateway in configuration active-active in availability zones. To establish the IPsec/IKE VPN tunnels, each Azure VPN Gateway resolves the FQDN of the remote peers to determine the public IP of the remote VPN Gateway.

The Azure VPN Gateway advertises through BGP the Azure Virtual network address space to the remote peer. Two different BGP sessions are established between the two Azure VPN Gateway, with transit through different IPsec tunnels.

Network diagram

1

Site-to-Site IPsec tunnels between the Azure VPN gateways

2

At the end of deployment, the two Azure VMs in the two VNets,vm1 and vm2, can communicate through private IPs.

3

Note1

  • the template works as expected only in Azure regions with availability zones.
  • VPN gateway supports two generations: Generation1 and Generation2. The VpnGw1AZ gateway SKU is only available in Generation1.
  • the IPsec / IKE policy is set to default

Note2

Before running the template deployment, set your custom values in the parameters file:

  • sharedKey: pre-shared key used for Site-to-Site VPN tunnels
  • adminUsername: administrator username of the Azure VMs
  • adminPassword: administrator password of the Azure VMs

Tags: Azure VPN, site-to-site, Microsoft.Network/networkSecurityGroups, Microsoft.Network/virtualNetworks, Microsoft.Network/publicIPAddresses, Microsoft.Network/virtualNetworkGateways, Microsoft.Network/localNetworkGateways, Microsoft.Network/connections, Microsoft.Network/networkInterfaces, Microsoft.Compute/virtualMachines