Dual ISP Ipsec/BGP tunnels to Azure

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Dual ISP Ipsec/BGP tunnels to Azure

L1 Bithead

Has anyone created ISP failover for tunnels to Azure gateway? 

 

We have PA440 devices with two ISPs configured. Local networks are switched with path monitoring if ISP1 goes down.

We want the same for the IPSec tunnel to Azure.

 

From Azure documentation it seems that BGP failover can be used with different AS, with lower path having higher priority.

Is creating two virtual routers on PA the only way?

3 REPLIES 3

Cyber Elite
Cyber Elite

You don't need to have multiple virtual routers.

Every peer under Peer Groups can have different Peer AS.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Cyber Elite
Cyber Elite

Hello,

Yes, I have setup Policy Based Forwarding so that I force the traffic down the path I think is primary and if it goes down, It goes to the virtual router route of the other path.

 

Hope that makes sense.

 

L1 Bithead

Thank you both for the replies! I will try to go for AS solution to have BGP choose the routing, as we need the routing to work both ways and Azure seems to work that way with lowest AS being the default route. Will report here when I try it out

  • 1085 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!