Load balancing Microsoft Always-On VPN
Microsoft Always On VPN provides a single, cohesive solution for remote access and supports domain-joined, non domain-joined (workgroup), or Azure AD–joined devices, even personally owned devices.
With Always On VPN, the connection type does not have to be exclusively user or device but can be a combination of both. For example, you could enable device authentication for remote device management and then enable user authentication for connectivity to internal company sites and services.
To provide resilience and high availability for your Always On VPN infrastructure, multiple Always On VPN servers should be deployed with a load balancer. This helps ensure that users can always connect to the corporate network by constantly checking the health of the Always On VPN servers and only forwarding connections to functional servers
More detail on the Always On components, how it works, and prerequisites for load balancing can be found in our deployment guide, available to view below.
We recommend using Layer 4 SNAT mode for Always On VPN. This mode offers good performance and is simple to configure since it requires no configuration changes to the Always On VPN and Network Policy servers. Layer 4 DR mode and NAT mode can also be used if preferred. To use DR mode it is required to solve the ARP problem on each Always On VPN server (please see the Administration Manual and search for “DR mode considerations”). Using NAT mode requires the default gateway on each real server to be configured to be the load balancer.
Load balancers can be deployed as single units or as a clustered pair. Loadbalancer.org recommends deploying a clustered pair for resilience and high availability. Details on configuring a clustered pair can be found on page 19 of our deployment guide, below.