From 13e0577bd1796d0ec737ffd5eae3f12876b18a6b Mon Sep 17 00:00:00 2001 From: Federico Guerrini Date: Wed, 27 Mar 2024 00:04:30 +0100 Subject: [PATCH] Updated VPNG1, removed VPNG-3, added VPNG-7 (#377) Co-authored-by: Eric Henry <44706965+ejhenry@users.noreply.github.com> --- .../services/networking/vpn-gateway/_index.md | 74 ++++++++++--------- .../vpn-gateway/code/vpng-3/vpng-3.kql | 1 - .../vpn-gateway/code/vpng-7/vpng-7.kql | 14 ++++ 3 files changed, 52 insertions(+), 37 deletions(-) delete mode 100644 docs/content/services/networking/vpn-gateway/code/vpng-3/vpng-3.kql create mode 100644 docs/content/services/networking/vpn-gateway/code/vpng-7/vpng-7.kql diff --git a/docs/content/services/networking/vpn-gateway/_index.md b/docs/content/services/networking/vpn-gateway/_index.md index ad9128162..7ad016ccc 100644 --- a/docs/content/services/networking/vpn-gateway/_index.md +++ b/docs/content/services/networking/vpn-gateway/_index.md @@ -14,14 +14,15 @@ The presented resiliency recommendations in this guidance include VPN Gateway an The below table shows the list of resiliency recommendations for VPN Gateway and associated resources. {{< table style="table-striped" >}} -| Recommendation | Category | Impact | State | ARG Query Available | +| Recommendation | Category | Impact | State | ARG Query Available | |:--------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------:|:------:|:-------:|:-------------------:| -| [VPNG-1 - Choose a Zone-redundant gateway](#vpng-1---choose-a-zone-redundant-gateway) | Availability | High | Verified | Yes | -| [VPNG-2 - Plan for Active-Active mode](#vpng-2---plan-for-active-active-mode) | Availability | High | Verified | Yes | -| [VPNG-3 - Plan for Site-to-Site VPN and Azure ExpressRoute coexisting connection](#vpng-3---plan-for-site-to-site-vpn-and-azure-expressroute-coexisting-connection) | Disaster Recovery | High | Verified | No | -| [VPNG-4 - Plan for geo-redundant VPN Connections](#vpng-4---plan-for-geo-redundant-vpn-connections) | Disaster Recovery | High | Verified | No | -| [VPNG-5 - Monitor connections and gateway health](#vpng-5---monitor-connections-and-gateway-health) | Monitoring | Medium | Verified | No | -| [VPNG-6 - Enable service health alerts](#vpng-6---enable-service-health-alerts) | Monitoring | Medium | Verified | No | +| [VPNG-1 - Choose a Zone-redundant gateway](#vpng-1---choose-a-zone-redundant-gateway) | Availability | High | Preview | Yes | +| [VPNG-2 - Plan for Active-Active mode](#vpng-2---plan-for-active-active-mode) | Availability | High | Preview | Yes | +| [VPNG-4 - Deploy active-active VPN concentrators on your premises for maximum resiliency](#vpng-4---deploy-active-active-vpn-concentrators-on-your-premises-for-maximum-resiliency) | Availability | High | Preview | No | | Availability | Medium | Preview | No | +| [VPNG-5 - Monitor connections and gateway health](#vpng-5---monitor-connections-and-gateway-health) | Monitoring | Medium | Preview | No | +| [VPNG-6 - Enable service health](#vpng-6---enable-service-health) | Monitoring | Medium | Preview | No | +| [VPNG-7 - Deploy zone-redundant VPN Gateways with zone-redundant Public IP(s)](#vpng-7---deploy-zone-redundant-vpn-gateways-with-zone-redundant-public-ips) | Availability | Medium | Preview | Yes | | Availability | High | Preview | Yes | + {{< /table >}} {{< alert style="info" >}} @@ -40,13 +41,13 @@ Definitions of states can be found [here]({{< ref "../../../_index.md#definition **Guidance** -Azure VPN gateway provides different SLAs when it's deployed in a single availability zone and when it's deployed in two or more availability zones. For information about all Azure SLAs, see [SLA summary for Azure services](https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1). -To automatically deploy your virtual network gateways across availability zones, use zone-redundant virtual network gateways. The zone-redundant gateways benefits from zone-resiliency to access mission-critical, scalable services on Azure. +Azure VPN gateway provides different SLAs when it's deployed in a single availability zone and when it's deployed in two availability zones. To automatically deploy your virtual network gateways across availability zones, you can use zone-redundant virtual network gateways. With zone-redundant gateways, you can benefit from zone-resiliency to access your mission-critical, scalable services on Azure. **Resources** - [Zone redundant Virtual network gateway in availability zone](https://learn.microsoft.com/azure/vpn-gateway/about-zone-redundant-vnet-gateways) - [Gateway SKU](https://learn.microsoft.com/azure/vpn-gateway/about-zone-redundant-vnet-gateways#gwskus) +- [SLA summary for Azure services](https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1). **Resource Graph Query** @@ -66,12 +67,13 @@ To automatically deploy your virtual network gateways across availability zones, **Guidance** -The active-active mode is available for all SKUs except Basic. You can create an Azure VPN gateway in an active-active configuration, where both instances of the gateway VMs establish S2S VPN tunnels to your on-premises VPN device. When a planned maintenance or unplanned event happens to one gateway instance, the switch over will happen automatically from the affected instance to the active instance. +The active-active mode is available for all SKUs except Basic. +Active-active gateways have two Gateway IP configurations and two public IP addresses. **Resources** -- [About Active-Active VPN gateway](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable#active-active-vpn-gateways) -- [Configure Active-active VPN gateway](https://learn.microsoft.com/azure/vpn-gateway/active-active-portal#gateway) +- [Active-active VPN gateway](https://learn.microsoft.com/azure/vpn-gateway/active-active-portal#gateway) +- [Gateway SKU](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsku) **Resource Graph Query** @@ -83,57 +85,56 @@ The active-active mode is available for all SKUs except Basic. You can create an

-### VPNG-3 - Plan for Site-to-Site VPN and Azure ExpressRoute coexisting connection +### VPNG-4 - Deploy active-active VPN concentrators on your premises for maximum resiliency -**Category: Disaster Recovery** +**Category: Availability** **Impact: High** **Guidance** -Having the ability to configure Site-to-Site VPN and ExpressRoute has several advantages. You can configure Site-to-Site VPN as a secure failover path for ExpressRoute, or use Site-to-Site VPNs to connect to sites that aren't connected through ExpressRoute +By deploying active-active VPN concentrators on your premises, along with active-active Azure VPN Gateways, you can maximize resilience and availability by using a fully-meshed topology based on four IPSec tunnels. **Resources** -- [Configure a Site-to-Site VPN as a failover path for ExpressRoute](https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#configuration-designs) -- [Limit and limitations](https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#limits-and-limitations) +- [Dual-redundancy: active-active VPN gateways for both Azure and on-premises networks](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable#dual-redundancy-active-active-vpn-gateways-for-both-azure-and-on-premises-networks) + **Resource Graph Query** {{< collapse title="Show/Hide Query/Script" >}} -{{< code lang="sql" file="code/vpng-3/vpng-3.kql" >}} {{< /code >}} +{{< code lang="sql" file="code/vpng-4/vpng-4.kql" >}} {{< /code >}} {{< /collapse >}}

-### VPNG-4 - Plan for geo-redundant VPN connections +### VPNG-5 - Monitor connections and gateway health -**Category: Disaster Recovery** +**Category: Monitoring** -**Impact: High** +**Impact: Medium** **Guidance** -If your gateway is not zone redundant, to plan for disaster recovery, set up Site-to-Site VPN in more than one location. You can create IP Sec connectivity in the same metro or different metro and choose to work with different service providers for diverse paths +Set up monitoring and alerts for Virtual Network Gateway health based on various metrics available. **Resources** -- [Highly available cross-premises](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable) -- [About VPN gateway redundancy](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable#about-vpn-gateway-redundancy) +- [VPN gateway data reference](https://learn.microsoft.com/azure/vpn-gateway/monitor-vpn-gateway-reference) **Resource Graph Query** {{< collapse title="Show/Hide Query/Script" >}} -{{< code lang="sql" file="code/vpng-4/vpng-4.kql" >}} {{< /code >}} +{{< code lang="sql" file="code/vpng-5/vpng-5.kql" >}} {{< /code >}} {{< /collapse >}}

-### VPNG-5 - Monitor connections and gateway health +### VPNG-6 - Enable service health **Category: Monitoring** @@ -141,43 +142,44 @@ If your gateway is not zone redundant, to plan for disaster recovery, set up Sit **Guidance** -Set up monitoring and alerts for Virtual Network Gateway health based on various metrics available. +VPN Gateway uses service health to notify about planned and unplanned maintenance. Configuring service health will notify you about changes made to your VPN connectivity. **Resources** -- [VPN gateway data reference](https://learn.microsoft.com/azure/vpn-gateway/monitor-vpn-gateway-reference) +- [Getting started with Azure Metrics Explorer](hhttps://learn.microsoft.com/azure/azure-monitor/essentials/metrics-getting-started) +- [Monitor VPN gateway](hhttps://learn.microsoft.com/azure/vpn-gateway/monitor-vpn-gateway-reference#metrics) **Resource Graph Query** {{< collapse title="Show/Hide Query/Script" >}} -{{< code lang="sql" file="code/vpng-5/vpng-5.kql" >}} {{< /code >}} +{{< code lang="sql" file="code/vpng-6/vpng-6.kql" >}} {{< /code >}} {{< /collapse >}}

-### VPNG-6 - Enable Service Health alerts +### VPNG-7 - Deploy zone-redundant VPN Gateways with zone-redundant Public IP(s) -**Category: Monitoring** +**Category: Availability** -**Impact: Medium** +**Impact: High** **Guidance** -VPN Gateway uses service health alerts to notify about planned and unplanned maintenance. +When using zone-redundant SKUs for VPN Gateways (VpnGw*AZ), make sure that you associate your gateway with zone-redundant Standard SKU public IP addresses. If a VPN gateway is associated with zonal Standard SKU public IP addresses, all the gateway instances are deployed in the same zone as the IP address(es). This recommendation applies to both active-passive gateways (which use a single public IP address) and active-active VPN gateways (which use two public IP addresses). **Resources** -- [Getting started with Azure Metrics Explorer](hhttps://learn.microsoft.com/azure/azure-monitor/essentials/metrics-getting-started) -- [Monitor VPN gateway](hhttps://learn.microsoft.com/azure/vpn-gateway/monitor-vpn-gateway-reference#metrics) +- [About zone-redundant virtual network gateway in Azure availability zones](https://learn.microsoft.com/azure/vpn-gateway/about-zone-redundant-vnet-gateways) **Resource Graph Query** {{< collapse title="Show/Hide Query/Script" >}} -{{< code lang="sql" file="code/vpng-6/vpng-6.kql" >}} {{< /code >}} +{{< code lang="sql" file="code/vpng-7/vpng-7.kql" >}} {{< /code >}} {{< /collapse >}}

+ diff --git a/docs/content/services/networking/vpn-gateway/code/vpng-3/vpng-3.kql b/docs/content/services/networking/vpn-gateway/code/vpng-3/vpng-3.kql deleted file mode 100644 index 614a7f9ca..000000000 --- a/docs/content/services/networking/vpn-gateway/code/vpng-3/vpng-3.kql +++ /dev/null @@ -1 +0,0 @@ -// under-development diff --git a/docs/content/services/networking/vpn-gateway/code/vpng-7/vpng-7.kql b/docs/content/services/networking/vpn-gateway/code/vpng-7/vpng-7.kql new file mode 100644 index 000000000..29a644362 --- /dev/null +++ b/docs/content/services/networking/vpn-gateway/code/vpng-7/vpng-7.kql @@ -0,0 +1,14 @@ +// Azure Resource Graph Query +// Provides a list of zone-redundant Azure VPN gateways associated with non-zone-redundant Public IPs +resources +| where type =~ "Microsoft.Network/virtualNetworkGateways" +| where properties.gatewayType == "Vpn" +| where properties.sku.tier contains 'AZ' +| mv-expand ipconfig = properties.ipConfigurations +| extend pipId = tostring(ipconfig.properties.publicIPAddress.id) +| join kind=inner ( + resources + | where type == "microsoft.network/publicipaddresses" + | where isnull(zones) or array_length(zones) < 3 ) + on $left.pipId == $right.id +| project recommendationId = "vpng-7", name, id, tags, param1 = strcat("PublicIpAddressName: ", name1), param2 = strcat ("PublicIpAddressId: ",id1), param3 = strcat ("PublicIpAddressTags: ",tags1)