As the title says, I would like to connect multiple sites to Azure that are already connected S2S. I currently have two sites within my organization, Site 1 and Site 2. Those two sites are currently connected to one another and exchange routes using BGP across a DMVPN tunnel. I would like to have a single Vnet gateway in my hub subscription that has two connections within it, one connection for site 1 and one for site 2. And in the event that site 1’s S2S tunnel goes down, site 1 could access the resources in Azure across DMVPN and through site 2’s tunnel into Azure, and vice versa if site 2’s S2S tunnel goes down. I have scoured online looking for documentation or a tutorial video and can’t find anything. Any help is greatly appreciated.
Look into active-active VPN tunnels: Design highly available gateway connectivity - Azure VPN Gateway
Where’s your DMVPN hub and what phase DMVPN are you running? Curious if the Security association between the two sites is always up or just as-needed. Regardless, it sounds like you’d just be adding a non-DMVPN capable edge (Azure) to your existing DMVPN which should converge with help from BGP.
If it’s setup in a triangle like I’m picturing, Azure will have two routes already to each site, directly over S2S and then through the opposite site’s S2S. When a S2S connection from Azure to a site goes down, the less preferable route would become the new preferred route.
Should work fine, only concern would maybe be how important a fast BGP convergence would be. You could also run a CSR1000v in Azure which would support DMVPN as well.
Look into active-active VPN tunnels: Design highly available gateway connectivity - Azure VPN Gateway
You might need to peer your VNets
The diagrams on that MS page show the active-active connection being between Azure and a single site. Is it common practice to have an active-active S2S tunnel that spans across two different sites?
Peer up fully and open…if you do and it works you know some restriction there is what’s causing the issue
Yes — you could possibly mesh the two S2S. But you’ll probably need two vpn gateways