Create a Post
Showing results for 
Search instead for 
Did you mean: 

MEP and SNX Load Balance on Azure

this is a set of videos showing how to configure a VMSS to be HUB of C2S VPN by using MEP for IPsec clients and Azure LB for SNX (Clientless VPN)

This was done manually on the first video, then worked on a bash script launched by the CME (so can also work on an ASG of AWS) that do all the manual process by itself so we need only to choose how many gateways we want to terminate the VPN.

The code is here;


video of manual way (described on the attached doc)


video showing the automation by the bash scripting

3 Replies

Thank you for creating these procedures.      I have a question specific to the IPSec VPN client and the Scale Set's.    Is there a way to gracefully bring down one of the VM's created in the Scale Set without impacting connected VPN clients?       If you spin up a new vm in the scale set and manually configure it. It will immediately start accepting VPN client connections.    But if we wanted to scale one of the VM's down(or say wanted to apply a hotfix)?  Is there a way to preventing the gateway  from accepting any new connections so that it could be patched or  removed from the scale set when the vpn client connections get down to 0.    We did some initial tests and the VPN client connections do not appear to be state-full across the load balancer.  So when the gateway I was connected to was taken out of service, my vpn connection was dropped.        

0 Kudos

MEP is not a cluster so it's expected to not have sync on the sessions.


Until now I'm still thinking on that Scale-In events, the solution was provided to a customer in this way and he accept to monitor the GW and destroy the least used and apply policy to disappear it from the client list.



0 Kudos

Thankyou @ChristianCastil for the very informative video. Can I please ask few questions:

Is Azure traffic manager required to achieve GEO load balancing. I see the option of dns_based under mep, as we want the option of EMEA users logging to EMEA region and US users to US region. In the endpoint client we have both the regional scalesets (total 4 VMs). Does this mean the client will resolve to the scaleset based on the proximity and connect. 

Is it possible to have a larger office mode networks than the default /24 to /16 etc. 

Is it possible to use IP pool NAT in Azure instead of just hiding all traffic behind eth1 of the gateway. If so how to register the IP's in Azure env. If not I am worried about NAT port exhaustion given 1000's of users accessing same internal website etc. 

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events