Redundant VPN to Microsoft Azure
Redundant VPN to Microsoft Azure
Redundant Site-to-Site VPN с active-active tunnels и BGP для high availability между VyOS и Azure.
Сценарий
- High Availability: Dual tunnel setup
- Active-Active: Оба туннеля передают трафик
- BGP: Automatic failover при отказе tunnel
Топология
VyOS ═══ Tunnel 1 ═══► Azure GW Instance 0
═══ Tunnel 2 ═══► Azure GW Instance 1
BGP ECMP между двумя tunnelsVyOS Configuration
# VTI 1 (к Azure Instance 0)
set interfaces vti vti1 address '10.10.255.1/30'
set vpn ipsec site-to-site peer 52.100.1.1 vti bind 'vti1'
set vpn ipsec site-to-site peer 52.100.1.1 authentication pre-shared-secret 'PSK1'
# VTI 2 (к Azure Instance 1)
set interfaces vti vti2 address '10.10.255.5/30'
set vpn ipsec site-to-site peer 52.100.1.2 vti bind 'vti2'
set vpn ipsec site-to-site peer 52.100.1.2 authentication pre-shared-secret 'PSK2'
# BGP
set protocols bgp system-as '65001'
set protocols bgp neighbor 10.10.255.2 remote-as '65515'
set protocols bgp neighbor 10.10.255.6 remote-as '65515'Azure Configuration
В Azure Portal:
- Create VPN Gateway (Active-Active mode)
- Два Local Network Gateways (VyOS IP)
- Два connections с разными PSK
- Enable BGP на Gateway