Enhancing Resiliency and Availability with Zone-Redundant Virtual Network Gateways in Azure Availability Zones

Blog ENG - MS Azure - Post 8 2024

In today’s digital landscape, ensuring the resiliency, scalability, and availability of network infrastructure is paramount. Azure’s zone-redundant virtual network gateways offer a robust solution to achieve these goals. By deploying gateways across Azure availability zones, organizations can protect their on-premises network connectivity to Azure from zone-level failures, ensuring continuous and reliable service.

Understanding Zone-Redundant Gateways
Zone-redundant virtual network gateways are designed to automatically deploy across multiple availability zones within a region. This deployment strategy provides zone-resiliency, allowing access to mission-critical, scalable services on Azure even in the event of a zone failure. By physically and logically separating gateways within a region, zone-redundant gateways enhance the overall reliability and availability of the network infrastructure.

Exploring Zonal Gateways
For scenarios where specific zone deployment is required, zonal gateways come into play. When deploying a zonal gateway, all instances of the gateway are confined to the same availability zone. This approach is beneficial for applications that are highly latency-sensitive and require all Azure resources to be in the same zone.

Gateway SKUs: Tailored for Availability Zones
Azure offers specialized gateway SKUs for both zone-redundant and zonal deployments. These SKUs, identifiable by the “AZ” in their names, are similar to existing SKUs for ExpressRoute and VPN Gateway but are specifically designed for availability zone configurations. This ensures that organizations can choose the appropriate SKU based on their deployment needs.

Public IP SKUs: The Backbone of Gateway Redundancy
The configuration of the Azure public IP resource plays a crucial role in the redundancy of virtual network gateways. Zone-redundant, zonal, and non-zonal gateways rely on the Standard SKU of Azure public IP. If a public IP resource is created with a Basic SKU, the gateway will lack zone redundancy, making it regional.

Zone-Redundant Gateways: When using the Standard public IP SKU with the zone-redundant option, VPN gateways deploy two instances across any two of the three zones, while ExpressRoute gateways can span all three zones.
Zonal Gateways: Specifying a zone (1, 2, or 3) with the Standard public IP SKU ensures all gateway instances are deployed within the same zone.
Non-Zonal or Regional Gateways: These gateways are created using the Standard public IP SKU with the “No Zone” option or the Basic public IP SKU, lacking zone redundancy.

Deployment and Migration Considerations
Deploying gateways with zone-redundancy means that all instances will be spread across different fault and update domains within Azure availability zones. This configuration enhances the reliability and availability of the gateways, making them resilient to zone failures.

Azure Portal: The Azure portal supports the deployment of these SKUs, visible only in regions with availability zones.
Regions: These SKUs are available in Azure regions that support availability zones. For a detailed list, refer to Azure’s documentation on regions with availability zones.
Migration: Currently, migrating existing VPN gateways to zone-redundant or zonal gateways is not supported. However, you can delete and re-create the gateway with the desired configuration. For ExpressRoute gateways, migration to zone-redundant or zonal configurations is in public preview.

Coexistence of VPN and ExpressRoute Gateways
Azure supports the coexistence of both VPN and ExpressRoute gateways within the same virtual network. To facilitate this, it is recommended to reserve a /27 IP address range for the gateway subnet.

Choosing the Right Configuration
For the highest availability of virtual network gateway infrastructure, zone-redundant configurations are recommended. This setup ensures that gateway instances are distributed across multiple availability zones, eliminating a single point of failure. Zonal deployments should be considered for applications that require low latency and need all resources within the same zone.

By leveraging zone-redundant and zonal virtual network gateways, organizations can significantly enhance the resiliency, scalability, and availability of their network infrastructure on Azure, ensuring robust and reliable connectivity for their mission-critical applications.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.