Virtual Network gateways in availability zones:

VPN and ExpressRoute gateways can be deployed to Azure Availability Zones. Previously, they were deployed to regions but now we have the ability to deploy them to the zones within the region. On one hand this improves the resiliency, scalability, and higher availability for virtual network gateways and on the other hand it opens more opportunities for the use of the gateways particularly with Azure traffic manager. Deploying gateways in Azure Availability Zones physically and logically separates gateways within a region, while protecting the on-premises network connectivity to Azure from zone-level failures. By deploying zonal gateways to each of the three zones and spanning a traffic manager over the gateways, we can now route traffic with zone isolation. This helps with availability zone down simulations. A use of TrafficManager to divert traffic was described earlier in this article: https://1drv.ms/w/s!Ashlm-Nw-wnWzhVd4TIY70gOs48M?e=ma9y5q

When we deploy It across availability zones, we can use zone-redundant virtual network gateways.  This adds zone resilience to mission critical scalable services. Zone-redundant and Zonal gateways both rely on the Azure public IP resource standard SKU. The public IP address created using the standard public IP Sku, the behavior depends on whether the gateway is a VPN gateway, or an ExpressRoute gateway. Two gateway instances will be deployed in any two out of three availability zones that provide zone redundancy for a VPN gateway. All three zones can be spanned by an ExpressRoute gateway.

This can be compared to a zonal gateway where all the gateway instances will be deployed in the same zone that is specified by the user. The zones are identified by the numerals 1,2, or 3 and there can be upto three zones within a region.  The public IP address must be created using the standard public IP SKU

When a regional gateway is deployed with a Basic public IP SKU, the gateway does not have zone redundancy built into it. Instead, when the gateways are deployed with zone redundancy across availability zones, each availability zone is a different fault and update domain. This makes the gateway more reliable, available and resilient to zone failures.

The Azure portal can be used to deploy the SKUs but the SKUs will be seen only in those regions that have availability zones. These gateways must be created new. They cannot be changed, migrated or upgraded from existing gateways to zone-redundant or zonal gateways. Co-existence of both VPN and ExpressRoute gateways in the same virtual network is supported but a /27 IP address range must be reserved for the gateway subnet.

 his is a continuation of a series of articles on operational engineering aspects of Azure public cloud computing that included the most recent discussion on Azure VPN Gateway which is a full-fledged general availability service.