Failover VPN between Sonicwall and Azure Networks

Synopsis: Work in progress - steps for creating a failover VPN configuration between on-prem SonicWall and Azure INF..

Published June 21st, 2026
Last Modified: June 21st, 2026

Intro: Work in progress, still figuring this out exactly, but will need to recreate for about a dozen networks.







Quick Run Down

1.) Confirmations

2.) Azure Setup

3.) SonicWall Setup

4.) Troubleshooting

5.) Recommended Reading

Confirmations

  • Sonic Wall Licensing might not include advanced networking, confirm the option to enable BGP is available.
  • Azure Gateway License SKU might not include advanced networking, confirm the option to enable Active-Active is available.
  • Route-Based VPN Tunnels ( NOT Policy-Based )
  • Network Design for BGP

Azure Setup

    The steps below are notes on how items should look for a single deployment, not so much about 'how' to implement these options.

    Virtual Network Gateway

    • Active-Active: Enabled
    • Autonomous system number (ASN) : 65515 (Default ASN for Azure VNET GWs)
    • Custom Azure APIPA BGP IP ADDRESS : 169.254.21.1
    • Second Custom Azure APIPA BGP IP ADDRESS : 169.254.21.5

    Local Network Gateway A

    • Configure BGP : YES
    • ASN : 65010
    • BGP Peer IP Address : 169.254.21.2
    • Address Space : 169.254.21.2/32

    Local Network Gateway B

    • Configure BGP : YES
    • ASN : 65010
    • BGP Peer IP Address : 169.254.21.6
    • Address Space : 169.254.21.6/32






    Connection A

    • BGP: Enabled

    Connection B

    • BGP: Enabled

SonicWall Setup

    SonicWall Setup

    • Network > System > Dyanmic Routing > Enable Advanced Routing


    • Enable SSH on the WAN interface. Enabled on both for testing.
    • Optional: Create a temp local admin for using with Putty for allowing connectivity through ssh and web interface simultaneously.

    VPN Policies

      VPN Policies must be created first in order to be referenced by the Virtual Interfaces in the next step.
    • Policy Type: Tunne Interface
    • IKE Using Preshared Secret
    • Name: Office-Azure-Primary OR Office-Azure-Secondary
    • IPsec Primary Gateway Name or Adress: Azure VNETGW Primary IP OR Azure VNETGW Secondary IP

    Virtual Interfaces

      Create a Virtual VPN Interface for each circuit. These items are the local BGP items that will be referenced by Azure.


    Custom Routing

      Custom routes must be created to allow outbound priority on one of the VPN tunnels. The routing from the Azure side is configured later during the BGP cli configuration.
      Note in the example below, the lower metric is applied to the primary route.


    BGP Configuration

      Connect Via Putty and make the following things:

    • Custom BGP
      • config
      router bgp (YOUR_ASN)
      network (SUBNET)

    • Custom Route Map (This is required for Azure to 'learn' the primary/secondary route prefence
      • config
      route-map (ROUTE-MAP-NAME) permit 10
      match ip address prefix-list ALL
      set as-path prepend (YOUR_ASN)(YOUR_ASN)(YOUR_ASN)

    • Create 1st BGP Neighbor
      • config
      neighbor (AZURE_PEER_IP_1) remote-as (AZURE_ASN)
      neighbor (AZURE_PEER_IP_1) ebgp-multihop 2

    • Create 2nd BGP Neighbor
      • config
      neighbor (AZURE_PEER_IP_2) remote-as (AZURE_ASN)
      neighbor (AZURE_PEER_IP_2) ebgp-multihop 2
      neighbor (AZURE_PEER_IP_2) route-map (ROUTE-MAP-NAME) out

    • Save and Exit, as needed to return to top layer
      • write
      exit

    • Export Summary to review with example below
      • config
      routing
      bgp
      show running-config

Troubleshooting

  • BGP Running Config Example:


  • PlaceHolder
  • PlaceHolder

Recommended Reading

  • PlaceHolder
  • PlaceHolder
  • PlaceHolder

Newest Post