As promised, I would cover Availability Zones a bit more in the next few posts. If your Azure region supports Availability Zones you probably want to use them. Yes the services are a bit more expensive but you gain a higher SLA and the ability to adopt an active-active infrastructure.
This active-active infrastructure usually starts with the VPN/ER Gateways. When you deploy an Azure Gateway there are essentially 3 options; regional (meaning it can go in any AZ but you don’t know which); Zonal (you select the zone you want it deployed in) and Zone Redundant (meaning it will be deployed in at least 2 zones).
Existing Gateways
But what if you already have a Virtual Network Gateway and you want to convert it to a redundant or zonal gateway. Well – unfortunately – there is no direct way to convert without downtime. You have to delete the old GW and deploy a new one. This means also clearing connections, new IP addresses and setting new tags and restoring other configurations. If only there was a script that did this for you.
And there is..
Gateway Conversion script
The ConvertGatewayToAZ.ps1 is a script that takes an existing Gateway. It copies and exports the configuration (so you can recover if needed) and deploys a new zone redundant or zonal gateway. The new gateway is configured with the same Tags, BGP settings and connections. The script works for active/passive as well as active/active deployments. It is also possible to move a gateway from Zonal to ZoneRedundant or between zones.
For this, the script deploys new Public IP addresses (it takes the old IP address name and appends _REDUNDANT to the name) which also take the previous Public IP configuration (such as DNS name and tags).
Note that as new Public IP addresses are deployed, you will need to change your on-premises VPN device – the script will notify you of this
Running the script is easy, but it does take some time as old gateways are deleted and new ones are deployed. As there is a limit of 45 minutes for the deletion and creation a maximum of 1.5hrs is possible. However, in my tests I’m usually at 15 minutes or so.
If things go bad, the script always exports the JSON configuration of all items that are to be deleted – so you could manually restore these objects. For this you only need to execute a new ResourceGroup Deployment:
New-AzResourceGroupDeployment -Name <name> -ResourceGroupName <resourcegroup> -Templatefile <file>
The exported files are available for:
- The old gateway
- The connections
- Public IP address (although this is not deleted)
The gateways are only upgraded to AZ level. That means that if you have a Generation 1 VPNGW2 – you will be upgraded to VPNGW2AZ. If you are still running a Basic SKU, the script upgrades it to the minimum of VpnGw1AZ. If the gateway is already an AZ based GW, it will not be upgraded. –
Note that the upgrade of the gateway will incur extra costs.
Running the script
#converting a gateway to ZoneRedundant .\ConvertGatewayToAZ.ps1 -Name vnetgateway -ResourceGroup region2zone -Production $true -ZoneRedundant $true
#Deploying a gateway into a specific AZ .\ConvertGatewayToAZ.ps1 -Name vnetgateway -ResourceGroup region2zone -Production $true -Zone 2
The script is a ps1 script and supporting psm1 script. Both will need to be downloaded and unlocked prior to use. You can download and contribute on GitHub.
Currently it supports VPN Gateways only.