P1 · Cloud & Hybrid Infrastructure

Azure VPN Gateway or ExpressRoute Connectivity Loss — Hybrid Network Down

On-premises users lose access to Azure-hosted resources due to a failed VPN Gateway connection or ExpressRoute BGP peer drop. Causes range from IKE policy mismatch and PSK errors to gateway maintenance and BGP misconfiguration.

Indicators

On-premises users cannot reach Azure VM private IPs or internal services
Azure VPN Gateway Connection blade shows 'Disconnected'
BGP peer down on ExpressRoute — provider or Microsoft side
Ping to Azure private address space times out from on-premises

Likely causes

IKE policy or PSK mismatch after firewall config change on either side
BGP peer ASN or IP misconfiguration on ExpressRoute after circuit change
NSG accidentally applied to GatewaySubnet blocking gateway traffic
On-premises firewall rule change blocking IKE (UDP 500/4500)
Azure gateway undergoing scheduled platform maintenance

Diagnostic steps

Azure portal > VPN Gateway > Connections — check status; click 'Reset connection' if stuck in 'Connecting' for more than 5 minutes
Check Azure Service Health for VPN Gateway or ExpressRoute maintenance events in the region
Enable VPN Gateway diagnostic logging: Gateway > Diagnostic settings > Log Analytics; query IKEDiagnosticLog for phase 1/2 failures
On-premises: capture IKE negotiation with Wireshark on UDP 500 and 4500 — identify which IKE phase is failing and error codes
Verify no NSG is applied to GatewaySubnet: az network vnet subnet show — AzureRM will warn but custom deployments may bypass
For ExpressRoute: check circuit status with provider and BGP peer state: az network express-route show -g <rg> -n <circuit>

Resolution path

Check Azure Service Health for gateway maintenance before troubleshooting config
Reset connection from Azure portal
Match IKE policy and PSK between Azure gateway and on-premises firewall
Remove any NSG from GatewaySubnet
Escalate to circuit provider if ExpressRoute physical or BGP issue

Prevention

Deploy Active-Active VPN Gateway for redundancy — eliminates single-instance failover gap
Use ExpressRoute with S2S VPN as backup for production hybrid connectivity
Set Azure Monitor alerts on connection state changes and BGP peer drops
Document IKE policy settings on both sides and store in change management records

Tools

Azure Portal (VPN Gateway, ExpressRoute, Service Health)
Azure CLI — az network vpn-connection / express-route
Network Watcher — VPN Troubleshoot
Wireshark (on-premises IKE capture)
Azure Monitor — VPN Gateway diagnostic logs

azurevpn-gatewayexpressroutehybridconnectivitybgpike