Merge pull request #284563 from cherylmc/s2s-active

prmerger-automator[bot] · web-flow · commit 3605cbf57c67 · 2024-08-13T19:40:08.000Z
VPN Gateway active-active + SKU
diff --git a/articles/vpn-gateway/tutorial-site-to-site-portal.md b/articles/vpn-gateway/tutorial-site-to-site-portal.md
@@ -6,7 +6,7 @@ author: cherylmc
 ms.author: cherylmc
 ms.service: azure-vpn-gateway
 ms.topic: tutorial
-ms.date: 04/16/2024
+ms.date: 08/13/2024
 
 #customer intent: As a network engineer, I want to create a site-to-site VPN connection between my on-premises location and my Azure virtual network.
 ---
@@ -30,9 +30,12 @@ In this tutorial, you:
 ## Prerequisites
 
 * You need an Azure account with an active subscription. If you don't have one, you can [create one for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio).
-* Make sure you have a compatible VPN device and someone who can configure it. For more information about compatible VPN devices and device configuration, see [About VPN devices](vpn-gateway-about-vpn-devices.md).
-* Verify that you have an externally facing public IPv4 address for your VPN device.
-* If you're unfamiliar with the IP address ranges located in your on-premises network configuration, you need to coordinate with someone who can provide those details for you. When you create this configuration, you must specify the IP address range prefixes that Azure will route to your on-premises location. None of the subnets of your on-premises network can overlap with the virtual network subnets that you want to connect to.
+
+* If you're unfamiliar with the IP address ranges located in your on-premises network configuration, you need to coordinate with someone who can provide those details for you. When you create this configuration, you must specify the IP address range prefixes that Azure routes to your on-premises location. None of the subnets of your on-premises network can overlap with the virtual network subnets that you want to connect to.
+* VPN devices:
+  * Make sure you have a compatible VPN device and someone who can configure it. For more information about compatible VPN devices and device configuration, see [About VPN devices](vpn-gateway-about-vpn-devices.md).
+  * Verify that you have an externally facing public IPv4 address for your VPN device.
+  * Verify that your VPN device supports active-active mode gateways. This article creates an active-active mode VPN gateway, which is recommended for highly available connectivity. Active-active mode specifies that both gateway VM instances are active and uses two public IP addresses, one for each gateway VM instance. You configure your VPN device to connect to the IP address for each gateway VM instance. If your VPN device doesn't support this mode, don't enable this mode for your gateway. For more information, see [Design highly available connectivity for cross-premises and VNet-to-VNet connections](vpn-gateway-highlyavailable.md) and [About active-active mode VPN gateways](about-active-active-gateways.md).
 
 ## <a name="CreatVNet"></a>Create a virtual network
 
@@ -43,8 +46,7 @@ In this section, you create a virtual network by using the following values:
 * **Region**: (US) East US
 * **IPv4 address space**: 10.1.0.0/16
 * **Subnet name**: FrontEnd
-* **Subnet address space**: 10.1.0.0/24
-
+* **Subnet address space**: 
 [!INCLUDE [About cross-premises addresses](../../includes/vpn-gateway-cross-premises.md)]
 
 [!INCLUDE [Create a virtual network](../../includes/vpn-gateway-basic-vnet-rm-portal-include.md)]
@@ -61,42 +63,45 @@ After you create your virtual network, you can optionally configure Azure DDoS P
 
 ## <a name="VNetGateway"></a>Create a VPN gateway
 
-In this step, you create the virtual network gateway for your virtual network. Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU.
+In this step, you create a virtual network gateway (VPN gateway) for your virtual network. Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU.
 
-### Create the gateway
+### Create a VPN gateway
 
 Create a virtual network gateway (VPN gateway) by using the following values:
 
 * **Name**: VNet1GW
-* **Region**: East US
 * **Gateway type**: VPN
-* **SKU**: VpnGw2
+* **SKU**: VpnGw2AZ
 * **Generation**: Generation 2
 * **Virtual network**: VNet1
 * **Gateway subnet address range**: 10.1.255.0/27
 * **Public IP address**: Create new
-* **Public IP address name**: VNet1GWpip
-* **Enable active-active mode**: Disabled
+* **Public IP address name:** VNet1GWpip1
+* **Public IP address SKU:** Standard
+* **Assignment:** Static
+* **Second Public IP address name:** VNet1GWpip2
+* **Enable active-active mode**: Enabled
 * **Configure BGP**: Disabled
 
-[!INCLUDE [Create a vpn gateway](../../includes/vpn-gateway-add-gw-portal-include.md)]
+[!INCLUDE [Create a vpn gateway](../../includes/vpn-gateway-add-azgw-portal-include.md)]
 
-[!INCLUDE [Configure PIP settings](../../includes/vpn-gateway-add-gw-pip-portal-include.md)]
+[!INCLUDE [Configure PIP settings](../../includes/vpn-gateway-add-azgw-pip-portal-include.md)]
 
-A gateway can take 45 minutes or more to fully create and deploy. You can see the deployment status on the **Overview** page for your gateway. After the gateway is created, you can view the IP address assigned to it by looking at the virtual network in the portal. The gateway appears as a connected device.
+A gateway can take 45 minutes or more to fully create and deploy. You can see the deployment status on the **Overview** page for your gateway.
 
 [!INCLUDE [NSG warning](../../includes/vpn-gateway-no-nsg-include.md)]
 
-### <a name="view"></a>View the public IP address
+### <a name="view"></a>View public IP address
 
-To view public IP addresses associated to your virtual network gateway, navigate to your gateway in the portal.
+To view the IP address associated with each virtual network gateway VM instance, go to your virtual network gateway in the portal.
 
-1. On the portal page for your virtual network gateway, under **Settings**, open the **Properties** page.
+1. Go to your virtual network gateway **Properties** page (not the Overview page). You might need to expand **Settings** to see the **Properties** page in the list.
+1. If your gateway in active-passive mode, you'll only see one IP address. If your gateway is in active-active mode, you'll see two public IP addresses listed, one for each gateway VM instance. When you create a site-to-site connection, you must specify each IP address when configuring your VPN device because both gateway VMs are active.
 1. To view more information about the IP address object, click the associated IP address link.
 
 ## <a name="LocalNetworkGateway"></a>Create a local network gateway
 
-The local network gateway is a specific object deployed to Azure that represents your on-premises location (the site) for routing purposes. You give the site a name by which Azure can refer to it, and then specify the IP address of the on-premises VPN device to which you create a connection. You also specify the IP address prefixes that are routed through the VPN gateway to the VPN device. The address prefixes you specify are the prefixes located on your on-premises network. If your on-premises network changes or you need to change the public IP address for the VPN device, you can easily update the values later.
+The local network gateway is a specific object deployed to Azure that represents your on-premises location (the site) for routing purposes. You give the site a name by which Azure can refer to it, and then specify the IP address of the on-premises VPN device to which you create a connection. You also specify the IP address prefixes that are routed through the VPN gateway to the VPN device. The address prefixes you specify are the prefixes located on your on-premises network. If your on-premises network changes or you need to change the public IP address for the VPN device, you can easily update the values later. You create a separate local network gateway for each VPN device that you want to connect to. Some highly available connectivity designs specify multiple on-premises VPN devices.
 
 Create a local network gateway by using the following values:
 
@@ -110,14 +115,17 @@ Create a local network gateway by using the following values:
 
 Site-to-site connections to an on-premises network require a VPN device. In this step, you configure your VPN device. When you configure your VPN device, you need the following values:
 
-* **Shared key**: This shared key is the same one that you specify when you create your site-to-site VPN connection. In our examples, we use a very simple shared key. We recommend that you generate a more complex key to use.
-* **Public IP address of your virtual network gateway**: You can view the public IP address by using the Azure portal, PowerShell, or the Azure CLI. To find the public IP address of your VPN gateway by using the Azure portal, go to **Virtual network gateways** and then select the name of your gateway.
+* **Shared key**: This shared key is the same one that you specify when you create your site-to-site VPN connection. In our examples, we use a simple shared key. We recommend that you generate a more complex key to use.
+* **Public IP addresses of your virtual network gateway instances**: Obtain the IP address for each VM instance. If your gateway is in active-active mode, you'll have an IP address for each gateway VM instance. Be sure to configure your device with both IP addresses, one for each active gateway VM. Active-standby mode gateways have only one IP address.
+
+> [!NOTE]
+> [!INCLUDE [active-active establish two tunnels](../../includes/vpn-gateway-active-active-tunnel.md)]
 
 [!INCLUDE [Configure a VPN device](../../includes/vpn-gateway-configure-vpn-device-include.md)]
 
 ## <a name="CreateConnection"></a>Create VPN connections
 
-Create a site-to-site VPN connection between your virtual network gateway and your on-premises VPN device.
+Create a site-to-site VPN connection between your virtual network gateway and your on-premises VPN device. If you're using an active-active mode gateway (recommended), each gateway VM instance has a separate assigned IP address object. To properly configure [highly available connectivity](vpn-gateway-highlyavailable.md), you must connect each VM instance to your VPN device.
 
 Create a connection by using the following values:
 
@@ -161,9 +169,9 @@ Resetting an Azure VPN gateway is helpful if you lose cross-premises VPN connect
 
 You can create a connection to multiple on-premises sites from the same VPN gateway. If you want to configure multiple connections, the address spaces can't overlap between any of the connections.
 
-1. To add another connection, go to the VPN gateway and then select **Connections** to open the **Connections** page.
-1. Select **+ Add** to add your connection. Adjust the connection type to reflect either network-to-network (if connecting to another virtual network gateway) or site-to-site.
-1. If you're connecting by using site-to-site and you haven't already created a local network gateway for the site you want to connect to, you can create a new one.
+1. If you're connecting using a site-to-site VPN and you don't have a local network gateway for the site you want to connect to, create another site.
+1. To add a connection, go to the VPN gateway and then select **Connections** to open the **Connections** page.
+1. Select **+ Add** to add your connection. Adjust the connection type to reflect either VNet-to-VNet (if connecting to another virtual network gateway) or site-to-site.
 1. Specify the shared key that you want to use and then select **OK** to create the connection.
 
 ### Update a connection shared key
diff --git a/includes/vpn-gateway-add-site-to-site-connection-portal-include.md b/includes/vpn-gateway-add-site-to-site-connection-portal-include.md
@@ -1,11 +1,11 @@
 ---
  author: cherylmc
- ms.service: azure-vpn-gateway
+ ms.service: vpn-gateway
  ms.topic: include
- ms.date: 04/16/2024
+ ms.date: 08/13/2024
  ms.author: cherylmc
 ---
-1. Go to your virtual network. On your virtual network page, in the left pane, select **Connected devices**. Locate your VPN gateway and select it to open it.
+1. In the portal, go to the virtual network gateway and open it.
 1. On the page for the gateway, select **Connections**.
 1. At the top of the **Connections** page, select **+ Add** to open the **Create connection** page.
 
