Share via

Preferred BGP routes using bgp peer_weight or routes_weight not working

Minh Tuan Nguyen 20 Reputation points
2025-12-13T15:44:15.9866667+00:00

Hi Everyone,

I have VPN gateway in active/active mode and it has 02 site-to-site VPN tunnels towards local firewall.
The goal is to use 01 vpn tunnel as primary and 01 as secondary. I tried with BGP peer_weight value and routes_weight but Azure VPN gateway always use 2nd vpn tunnel no matter what value I set.
How can I achieve this with Azure VPN gateway?

Thanks,

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
0 comments
Answer accepted by question author
  1. Ravi Varma Mudduluru 4,790 Reputation points Microsoft External Staff Moderator
    2025-12-14T14:07:02.9366667+00:00

    Hello @ Minh Tuan Nguyen,

    Thanks for reaching out to Microsoft Q&A.

    I can see you're facing an issue with your Azure VPN gateway where the peer_weight and routes_weight settings are not working as expected in your active/active configuration. It seems you want to prioritize one of your Site-to-Site VPN tunnels as primary and the other as secondary.

    Azure VPN Gateway does not honor peer_weight or routes_weight for IPsec S2S VPN connections. These settings apply only to ExpressRoute gateway connections, not VPN tunnels. Therefore, modifying these values will not influence which tunnel Azure selects.

    When you have two VPN tunnels (Primary & Secondary) between your on‑prem firewall and Azure, you want Azure to always use the Primary unless it goes down.

    Azure uses BGP path selection, and the shortest AS Path is always preferred.

    Flow Diagram:
    User's image

    Note: Azure can legitimately send flows over either tunnel in active/active; symmetric routing is not guaranteed. If strict symmetry is mandatory for your firewall, Active/Standby

    In active–active mode, Azure may use either tunnel for return flows, and symmetric routing is not guaranteed. If your firewall requires strict symmetric paths, you may need to adjust local‑preference or routing metrics on‑premises, or consider deployment using active–standby mode instead.

    If you need a true primary/secondary tunnel arrangement, you can use the active‑standby gateway mode instead. Active‑standby natively supports a primary tunnel and a secondary failover tunnel.

    User's image

    Reference document:

    https://v4.hkg1.meaqua.org/en-us/azure/vpn-gateway/about-active-active-gateways

    https://v4.hkg1.meaqua.org/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#how-does-azure-vpn-gateway-handle-traffic-flow-in-active-active-mode-and-what-should-i-consider-if-my-on-premises-setup-requires-symmetric-routing

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.