Advertisement
Hi Community,
\nI have a fortigate firewall with 2 ISPs 1gb and 100mb<\/p>\n
I have an azure environment with 1 VNet and a few virtual machines<\/p>\n
I have created a VPN gateway doing a site to site VPN with 1 ISP “1GB” link<\/p>\n
The local gateway represent an OnPrem 1GB link.<\/p>\n
What i want now,
\nRecently i had an outage with the 1Gb line so i had to go and change the local gateway in azure to point to the 100MB link and i also configured the fortigate to now use 100MB link, the VPN established fine. After some time my 1 Gb line came back and i reset the original settings using the 1GB line and everything is then working again<\/p>\n
So i thought why not create a second Site to site VPN with azure using the 100Mb link, so i created a second local gateway in azure and used 100MB link IP address and established a connection fine.<\/p>\n
Now i have to s2s VPn , first with 1 GB second with 100MB<\/p>\n
I then created two static route in fortigate each pointing to their VPN tunnel interface, i set the route to faster 1gb link to administrative distance of 10 and the route to the slower link with administrative distance of 20.<\/p>\n
Fortigate started sending all the traffic to the preferred tunnel as expected, but azure is returning traffic using both tunnels.<\/p>\n
However that defeats the purpose of having a faster link since the returning traffic from azure is half using a slower link.<\/p>\n
Now looking at everywhere on the internet i learnt that BGP is a solution, however the BGP will only make sure if there is a problem at the Gateway’s underline VM on azure, it will be switched to a passive gateway. In other words regarless of active active or active passive gateway, all tunnels to onprem will be utilised and there is no way for azure to configure one tunnel to be preferred<\/p>\n
If someone please have a solutions to make one tunnel more attractive for azure please help,<\/p>\n
Again i am not interested in gateway redundancy at azure side i only want to use one tunnel until it fails, and then failiver to 100 mb<\/p>","upvoteCount":1,"answerCount":3,"datePublished":"2024-11-09T14:25:38.474Z","author":{"@type":"Person","name":"nabeelyousuf","url":"https://community.spiceworks.com/u/nabeelyousuf"},"suggestedAnswer":[{"@type":"Answer","text":"
Hi Community,
\nI have a fortigate firewall with 2 ISPs 1gb and 100mb<\/p>\n
I have an azure environment with 1 VNet and a few virtual machines<\/p>\n
I have created a VPN gateway doing a site to site VPN with 1 ISP “1GB” link<\/p>\n
The local gateway represent an OnPrem 1GB link.<\/p>\n
What i want now,
\nRecently i had an outage with the 1Gb line so i had to go and change the local gateway in azure to point to the 100MB link and i also configured the fortigate to now use 100MB link, the VPN established fine. After some time my 1 Gb line came back and i reset the original settings using the 1GB line and everything is then working again<\/p>\n
So i thought why not create a second Site to site VPN with azure using the 100Mb link, so i created a second local gateway in azure and used 100MB link IP address and established a connection fine.<\/p>\n
Now i have to s2s VPn , first with 1 GB second with 100MB<\/p>\n
I then created two static route in fortigate each pointing to their VPN tunnel interface, i set the route to faster 1gb link to administrative distance of 10 and the route to the slower link with administrative distance of 20.<\/p>\n
Fortigate started sending all the traffic to the preferred tunnel as expected, but azure is returning traffic using both tunnels.<\/p>\n
However that defeats the purpose of having a faster link since the returning traffic from azure is half using a slower link.<\/p>\n
Now looking at everywhere on the internet i learnt that BGP is a solution, however the BGP will only make sure if there is a problem at the Gateway’s underline VM on azure, it will be switched to a passive gateway. In other words regarless of active active or active passive gateway, all tunnels to onprem will be utilised and there is no way for azure to configure one tunnel to be preferred<\/p>\n
If someone please have a solutions to make one tunnel more attractive for azure please help,<\/p>\n
Again i am not interested in gateway redundancy at azure side i only want to use one tunnel until it fails, and then failiver to 100 mb<\/p>","upvoteCount":1,"datePublished":"2024-11-09T14:25:38.549Z","url":"https://community.spiceworks.com/t/azure-vpn-tunnel-failover/1140154/1","author":{"@type":"Person","name":"nabeelyousuf","url":"https://community.spiceworks.com/u/nabeelyousuf"}},{"@type":"Answer","text":"
I am very interested to hear what solution you land on. I’ve never had to explore this scenario so really have no idea what the answer is.<\/p>\n
My first though is to leverage the SD-WAN capability of the FGT. The problem with this answer is that this is on the FGT side not the Azure side.<\/p>","upvoteCount":0,"datePublished":"2024-11-11T19:54:58.598Z","url":"https://community.spiceworks.com/t/azure-vpn-tunnel-failover/1140154/2","author":{"@type":"Person","name":"AdmiralKirk","url":"https://community.spiceworks.com/u/AdmiralKirk"}},{"@type":"Answer","text":"
Hello,<\/p>\n
You can setup the virtual network gateways in azure as active/standby or active/active/ You can even do multi peering.<\/p>","upvoteCount":0,"datePublished":"2024-11-12T15:07:27.821Z","url":"https://community.spiceworks.com/t/azure-vpn-tunnel-failover/1140154/3","author":{"@type":"Person","name":"popeyesailzzz","url":"https://community.spiceworks.com/u/popeyesailzzz"}}]}}