Azure Availability Zones offers high availability for data and applications. In an Azure region, there can be one or more data centers. Azure Availability Zone is made out of one or more datacentres in the same Azure region, which have independent power, hardware, networking, and cooling. All Zone redundant service will replicate data and application across Availability Zone for high resilience. Each Azure region contains a minimum of three Azure Availability Zones.
We can deploy VPN gateway in Azure Availability Zones for resiliency and higher availability. There are two types of deployment methods we can choose.
Zone-redundant gateway
Both types of deployment depend on the Azure public IP address SKU. It must be Standard SKU. If you do not define any zone with the public IP deployment, two gateway instances will be deployed into two different zones.
Zonal gateway
If we define the zone (1,2 or 3) during the public IP deployment, two gateway instances will be deployed into the same zone.
In this demo, I am going to demonstrate, how to create Zone-redundant Azure VPN Gateway in Azure Availability Zone.
Demo Environment
In this demo setup, I got two virtual networks in East US and UK South region. I am going to deploy Zone-redundant Azure VPN Gateway in each virtual network and initiate VNet-to-VNet connection. The zones values shown above are just examples. During the actual setup, the system will pick up the zones automatically.
For the configuration process, I will be using PowerShell. Therefore, please make sure you have an Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-3.8.0
Create Resource Groups
The first step of the configuration is to create new resource groups in different regions.
To do that,
1) Launch PowerShell console and connect to Azure using Connect-AzAccount
2) Then create EUSRG1 under East US Azure region by using,
New-AzResourceGroup -Name EUSRG1 -Location “East US”
In the above command, -Name parameter specifies the resource group name, and -Location parameter specifies the Azure region.
3) The next step is to create UKSRG1 resource group in UK South Azure region by using,
New-AzResourceGroup -Name UKSRG1 -Location “UK South”
Create virtual networks
1) The next step is to create a new virtual network under EUSRG1 resource group.
$subn1 = New-AzVirtualNetworkSubnetConfig -Name VMNet1 -AddressPrefix 10.0.0.0/24
$gwsubn1 = New-AzVirtualNetworkSubnetConfig -Name “GatewaySubnet” -AddressPrefix 10.0.255.0/27
New-AzVirtualNetwork -Name EUSVnet1 -ResourceGroupName EUSRG1 -Location “East US” -AddressPrefix 10.0.0.0/16 -Subnet $subn1,$gwsubn1
EUSVnet1 address space is 10.0.0.0/16. It is a class B IP address range. We do not need the entire range for workloads. Therefore, I am going to create two small subnets under it.
• VM Network – 10.0.0.0/24
• Gateway subnet – 10.0.255.0/27
In the above, VM network is going to use for virtual machines and Gateway Subnet is going to use for the VPN gateway setup.
Virtual Network Gateway can only be created in a subnet with name ‘GatewaySubnet‘
2) The next step is to create the new virtual network UKSVnet1 in UK South region. This VNet contains two subnets.
• VM Network – 10.1.0.0/24
• Gateway subnet – 10.1.255.0/27
In the above, VM network is going to use for virtual machines and Gateway Subnet is going to use for the VPN gateway setup.
$subn2 = New-AzVirtualNetworkSubnetConfig -Name VMNet2 -AddressPrefix 10.1.0.0/24
$gwsubn2 = New-AzVirtualNetworkSubnetConfig -Name “GatewaySubnet” -AddressPrefix 10.1.255.0/27
New-AzVirtualNetwork -Name UKSVnet1 -ResourceGroupName UKSRG1 -Location “UK South” -AddressPrefix 10.1.0.0/16 -Subnet $subn2,$gwsubn2
