First off We have an existing Site-Site IPSEC VPN (route based) between our office and our Azure cloud. This works exactly as it's supposed to. We just got a backup internet connection (Cradle point) for fail over situations. The internet backup is functional, and I've set up an alternate connection with the IP address of our backup option, but the site-site VPN never comes back up when we do a fail over test.
Functionally, on the "local" side, the same firewall is initiating the connection, so what I've done is set up the backup connection to use the same PSK, but to the ip of the backup internet rather than our "normal" IP.
Here's a hypothetical setup:
Main internet: 1.1.1.1 PSK: ABC
Backup internet: 2.2.2.2 PSK: ABC
Azure VNG: 3.3.3.3 PSK: ABC
The VPN between Main and Azure works perfectly. The tunnel is up and passes information normally. When we attempt a failover test, the connection between 2.2.2.2 and 3.3.3.3 never comes up, despite having a "Connection" of it's own in Azure. Any help at all is appreciated.
Best Answer
Looks like this is an expected behavior, check this link: http://www.gi-architects.co.uk/2015/12/azure-highly-available-dynamic-vpn-automatic-failover/ (written by Luben Kirov)
Real VPN failover is on Microsoft rader, but haven't been implimented yet: https://feedback.azure.com/forums/217313-networking/suggestions/7911798-vpn-failover
Unless you contact the Azure support team and they tell you otherwise, I think there no real way for this to be done.